Amazon DocumentDB Security

Security and Compliance are implemented via a shared responsibility model between AWS and the customer. AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud, and the customer is responsible for maintaining control over customer content that is hosted on the infrastructure. Content is protected using security configuration and management controls for the AWS services that are used.

In this lab you will take a look at Amazon DocumentDB controls that customers may use to further secure their content:

  • AWS Secrets Manager integration including Amazon DocumentDB password rotation

  • Encrypting data at rest using a customer managed CMK

  • Restricting Database Access Using Role-Based Access Control (Built-In Roles)

Encrypting Data in Transit is not covered in this Security module because by default, encryption in transit (TLS) is enabled for newly created Amazon DocumentDB clusters.