DocumentDB cluster exports audit and profiler logs to CloudWatch Logs
documentdb_cluster_cloudwatch_log_export
Amazon DocumentDB clusters are evaluated for exporting audit and profiler logs to CloudWatch Logs.
Clusters missing one or both log types are identified as lacking complete log export configuration.
Risk
Missing audit and/or profiler exports reduces observability of authentication, authorization, and data definition activity. Attacks like brute-force logins, privilege abuse, or destructive schema changes can go unnoticed, degrading confidentiality and integrity and delaying incident response.
prowler aws --checks documentdb_cluster_cloudwatch_log_export
Recommendation
Enable export of both audit and profiler logs to CloudWatch Logs for all clusters and centralize analysis.
Apply least privilege to log access, define retention and immutability, integrate with alerting, and use separation of duties to protect and regularly review logs for defense in depth.
Remediation
aws docdb modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","profiler"]}' --apply-immediately
- In AWS Console, go to Amazon DocumentDB > Clusters
- Select the cluster and choose Actions > Modify
- In Log exports, check Audit and Profiler
- Check Apply immediately and click Modify cluster
Source Code
Resource Type
AwsRdsDbCluster