Enable CloudWatch Log Export for DocumentDB Clusters

Overview

This check verifies that Amazon DocumentDB clusters export both audit and profiler logs to CloudWatch Logs. Log exports give you visibility into database activity, including authentication attempts, authorization changes, and performance metrics.

Risk

Without log exports enabled, you lose visibility into critical database events:

• Brute-force login attempts may go undetected
• Privilege escalation or unauthorized access cannot be traced
• Schema changes (creating indexes, dropping collections) are not recorded
• Incident response becomes difficult without historical logs

Enabling both audit and profiler logs helps you detect threats early and meet compliance requirements.

Remediation Steps

Prerequisites

• Access to the AWS Console with permission to modify DocumentDB clusters, OR
• AWS CLI installed and configured with appropriate permissions

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:ModifyDBCluster",
        "rds:DescribeDBClusters",
        "logs:CreateLogGroup",
        "logs:PutRetentionPolicy"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the Amazon DocumentDB Console
2. In the left navigation, click Clusters
3. Select the cluster you want to modify
4. Click Actions and choose Modify
5. Scroll down to the Log exports section
6. Check both:
   • Audit log
   • Profiler log
7. Scroll to the bottom and click Continue
8. Choose Apply immediately if you want changes to take effect now
9. Click Modify cluster

AWS CLI

Use the modify-db-cluster command to enable log exports:

aws docdb modify-db-cluster \
  --region us-east-1 \
  --db-cluster-identifier <your-cluster-identifier> \
  --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","profiler"]}' \
  --apply-immediately

Replace <your-cluster-identifier> with your actual cluster identifier.

Example:

aws docdb modify-db-cluster \
  --region us-east-1 \
  --db-cluster-identifier my-docdb-cluster \
  --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","profiler"]}' \
  --apply-immediately

Note: Remove --apply-immediately if you prefer to apply changes during the next maintenance window.

CloudFormation

Use the EnableCloudwatchLogsExports property to enable log exports:

AWSTemplateFormatVersion: '2010-09-09'
Description: DocumentDB Cluster with CloudWatch Log Export

Parameters:
  DBClusterIdentifier:
    Type: String
    Description: The identifier for the DocumentDB cluster
  MasterUsername:
    Type: String
    Description: Master username for the cluster
  MasterUserPassword:
    Type: String
    NoEcho: true
    Description: Master password for the cluster
  VPCSecurityGroupId:
    Type: AWS::EC2::SecurityGroup::Id
    Description: Security group for the cluster
  DBSubnetGroupName:
    Type: String
    Description: DB subnet group name

Resources:
  DocumentDBCluster:
    Type: AWS::DocDB::DBCluster
    Properties:
      DBClusterIdentifier: !Ref DBClusterIdentifier
      MasterUsername: !Ref MasterUsername
      MasterUserPassword: !Ref MasterUserPassword
      VpcSecurityGroupIds:
        - !Ref VPCSecurityGroupId
      DBSubnetGroupName: !Ref DBSubnetGroupName
      EnableCloudwatchLogsExports:
        - audit
        - profiler
      StorageEncrypted: true
      DeletionProtection: true

Key property:

EnableCloudwatchLogsExports:
  - audit
  - profiler

Terraform

Use the enabled_cloudwatch_logs_exports argument:

resource "aws_docdb_cluster" "main" {
  cluster_identifier = var.cluster_identifier
  master_username    = var.master_username
  master_password    = var.master_password

  vpc_security_group_ids = var.vpc_security_group_ids
  db_subnet_group_name   = var.db_subnet_group_name

  # Enable CloudWatch log exports
  enabled_cloudwatch_logs_exports = ["audit", "profiler"]

  # Additional security best practices
  storage_encrypted     = true
  deletion_protection   = true
  skip_final_snapshot   = false
  final_snapshot_identifier = "${var.cluster_identifier}-final-snapshot"
}

Key argument:

enabled_cloudwatch_logs_exports = ["audit", "profiler"]

Verification

After enabling log exports, verify the configuration:

1. In the DocumentDB Console, select your cluster
2. Look at the Configuration tab
3. Confirm Log exports shows both audit and profiler

CLI verification

aws docdb describe-db-clusters \
  --region us-east-1 \
  --db-cluster-identifier <your-cluster-identifier> \
  --query 'DBClusters[0].EnabledCloudwatchLogsExports'

Expected output:

[
    "audit",
    "profiler"
]

Additional Resources

• AWS Documentation: Auditing Amazon DocumentDB Events
• AWS Documentation: Profiling Amazon DocumentDB Operations
• AWS Documentation: Publishing DocumentDB Logs to CloudWatch
• Prowler Check Documentation

Notes

• Both log types are required: This check fails if either audit or profiler logs are missing. Enable both for full compliance.
• CloudWatch costs: Log exports incur CloudWatch Logs charges based on data volume. Consider setting retention policies to manage costs.
• Audit logging prerequisites: To capture audit events, you must also enable audit logging in your DocumentDB cluster parameter group by setting audit_logs to enabled.
• No downtime: Enabling log exports does not cause cluster downtime or failover.