DocumentDB cluster has Multi-AZ enabled
documentdb_cluster_multi_az_enabled
Amazon DocumentDB clusters with Multi-AZ (multi_az) indicate deployment of a primary and one or more replicas across Availability Zones.
Risk
Without Multi-AZ, the cluster depends on a single AZ/instance. An AZ or node failure-or maintenance-can stop reads and writes, causing downtime, timeouts, and SLA breaches. Availability degrades, RTO rises, and applications may experience failed or retried transactions until replacement capacity is created.
prowler aws --checks documentdb_cluster_multi_az_enabled
Recommendation
Enable Multi-AZ for DocumentDB and distribute instances across distinct AZs.
- Maintain at least one replica
- Set promotion priorities to guide failover
- Test failover regularly and use resilient client retries
This builds fault tolerance and preserves service availability.
Remediation
aws docdb create-db-instance --db-instance-identifier <example_resource_id> --db-cluster-identifier <example_resource_id> --db-instance-class <INSTANCE_CLASS> --engine docdb --availability-zone <OTHER_AZ>
- In the AWS Console, go to Amazon DocumentDB and open your cluster
- Click Create instance
- Set Instance class and choose an Availability Zone different from the primary
- Click Create to add the replica
- Verify the cluster now shows Multi-AZ enabled
Source Code
Resource Type
AwsRdsDbCluster