Enable DocumentDB Profiler

Risk Level: Medium (should be achieved)

Ensure that the Profiler feature is enabled for your Amazon DocumentDB database clusters in order to log the execution time and details of database operations that were performed on your clusters. The Profiler can be enabled at the cluster level and works on all databases available within the cluster. When enabled, the feature logs operations that are taking longer than a customer-defined threshold value to Amazon CloudWatch Logs. Logged details include the profiled command, time, plan summary, and client metadata. After the database operations are logged to CloudWatch Logs, you can use Amazon CloudWatch Logs Insights to analyze, monitor, and archive your Amazon DocumentDB profiling data. By default, the Profiler feature is disabled for Amazon DocumentDB database clusters.

This rule can help you work with the AWS Well-Architected Framework.

Performance
efficiency

Operational
excellence

Monitoring your Amazon DocumentDB database clusters is an important part of keeping your applications healthy and functioning optimally. The Profiler is useful for monitoring the slowest operations on your database cluster which can help you improve individual query performance and overall cluster performance.

Audit

To determine if your Amazon DocumentDB clusters are exporting profiler logs to CloudWatch Logs, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the left navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name of the database cluster that you want to examine.

05 Select the Configuration tab to access the cluster configuration panel.

06 On the Cluster details panel, under Configurations and status, check the CloudWatch logs enabled configuration attribute value. If the CloudWatch logs enabled attribute value is not set to profiler, the selected Amazon DocumentDB database cluster is not configured to export profiler logs to CloudWatch Logs.

07 Repeat steps no. 4 – 6 to verify the Profiler feature status for other database clusters available in the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Rundescribe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB database clusters available within the selected region:

aws docdb describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names:

---------------------------
|   DescribeDBClusters    |
+-------------------------+
|  cc-prod-docdb-cluster  |
|  cc-test-docdb-cluster  |
+-------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB database cluster that you want to examine as the identifier parameter and custom query filters to determine if the Profiler feature is enabled for the selected database cluster:

aws docdb describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --query 'DBClusters[*].EnabledCloudwatchLogsExports | []'

04 The command output should return the type of logs exported to Amazon Cloudwatch Logs:

[
	"audit"
]

If the describe-db-clusters command output does not return "profiler", the selected Amazon DocumentDB database cluster is not configured to export profiler logs to CloudWatch Logs.

05 Repeat step no. 3 and 4 for each DocumentDB database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable the Profiler feature for your Amazon DocumentDB database clusters and start exporting profiler logs to CloudWatch Logs, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name of the DocumentDB database cluster that you want to reconfigure.

05 Select the Configuration tab and copy the name of the associated parameter group listed under Cluster parameter group.

06 In the left navigation panel, choose Parameter groups, and paste the name of cluster parameter group copied at the previous step in the Filter bar.

07 Click on the name of the custom parameter group returned by the filtering process.

08 In the Cluster parameters section, perform the following actions to enable and configure the selected parameter group for profiling:

Select the profiler parameter, choose Edit, set the parameter value to enabled, select Apply immediately, and choose Modify cluster parameter.
Select the profiler_threshold_msparameter, choose Edit, set the parameter value to 100(or to a custom value), select Apply immediately, and choose Modify cluster parameter.
Select the profiler_sampling_rate parameter, choose Edit, set the parameter value to 1.0(or to a custom value), select Apply immediately, and choose Modify cluster parameter.

09 In the navigation panel, under Amazon DocumentDB, choose Clusters.

10 Select the DocumentDB database cluster that you want to reconfigure, click on the Actions dropdown button from the console top menu, and choose Modify.

11 On the Modify cluster: <cluster-identifier> page, perform the following actions:

In the Log exportssection, select the Profiler logs checkbox to enable publishing profiler logs to Amazon CloudWatch Logs.
Choose Continue to continue the process.
Within the Summary of modifications section, carefully review the configuration changes that you want to apply to the cluster.
In the Scheduling of modifications section, perform one of the following actions based on your application requirements:
- Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
- Select Apply immediately to apply the configuration changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for the selected database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application.
Choose Modify cluster to apply the configuration changes.

12 Repeat steps no. 3 – 11 to enable the Profiler feature for other Amazon DocumentDB database clusters provisioned in the current AWS region.

13 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB database cluster that you want to reconfigure as the identifier parameter and custom query filters to describe the name of the parameter group associated with the selected database cluster:

aws docdb describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --query 'DBClusters[*].DBClusterParameterGroup | []'

02 The command output should return the name of the associated parameter group:

[
	"cc-prod-cluster-parameter-group"
]

03 Run modify-db-cluster-parameter-group command (OSX/Linux/UNIX) using the name of the parameter group returned at the previous step as the identifier parameter, to enable log profiling for the selected DocumentDB cluster parameter group:

aws docdb modify-db-cluster-parameter-group
  --region us-east-1
  --db-cluster-parameter-group-name cc-prod-cluster-parameter-group
  --parameters ParameterName=profiler,ParameterValue=enabled,ApplyMethod=immediate ParameterName=profiler_threshold_ms,ParameterValue=100,ApplyMethod=immediate ParameterName=profiler_sampling_rate,ParameterValue=1.0,ApplyMethod=immediate

04 The command output should return the name of the reconfigured parameter group:

{
	"DBClusterParameterGroupName": "cc-prod-cluster-parameter-group"
}

05 Run modify-db-cluster command (OSX/Linux/UNIX) to modify your Amazon DocumentDB database cluster in order enable publishing profiler logs to CloudWatch Logs. The following command example makes use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application. If you add --no-apply-immediately parameter to the command request, the DocumentDB service will apply your changes during the next scheduled maintenance window:

aws docdb modify-db-cluster
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --db-cluster-parameter-group-name cc-prod-cluster-parameter-group
  --cloudwatch-logs-export-configuration '{"EnableLogTypes":["profiler"]}'
  --apply-immediately

06 The command output should return the configuration metadata for the modified database cluster:

{
	"DBCluster": {
		"DBClusterIdentifier": "cc-prod-docdb-cluster",
		"DBClusterParameterGroup": "cc-prod-cluster-parameter-group",
		"DBSubnetGroup": "default-vpc-abcdabcd",
		"Status": "available",
		"Engine": "docdb",
		"EngineVersion": "4.0.0",
		"Port": 27017,
		"PreferredBackupWindow": "00:00-00:30",
		"PreferredMaintenanceWindow": "fri:04:57-fri:05:27",

		...

		"HostedZoneId": "ZNKXH85TT8WVW",
		"StorageEncrypted": true,
		"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
		"DbClusterResourceId": "cluster-ABCDABCDABCDABCDABCDABCD",
		"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-prod-docdb-cluster",
		"ClusterCreateTime": "2021-02-19T10:00:00.000000+00:00",
		"EnabledCloudwatchLogsExports": [
			"audit",
			"profiler"
		],
		"DeletionProtection": false
	}
}

07 Repeat steps no. 1 – 6 to enable the Profiler feature for other Amazon DocumentDB database clusters available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
docdb
describe-db-clusters
modify-db-cluster-parameter-group
modify-db-cluster

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable DocumentDB Profiler

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related DocumentDB rules