Ensure that the SSL/TLS certificates configured for your Amazon DocumentDB (with MongoDB compatibility) database instances are replaced every few years as part of AWS cloud standard maintenance and security discipline.
This rule can help you work with the AWS Well-Architected Framework.
To maintain Amazon DocumentDB database security and avoid interruption of your DocumentDB applications, rotate the required SSL/TLS certificates and update the deprecated Certificate Authority (CA) certificates at the DocumentDB instance level.
Audit
To determine if the Certificate Authority (CA) certificates configured your Amazon DocumentDB database instances are outdated, perform the following actions:
Remediation / Resolution
To rotate Certificate Authority (CA) certificates configured for your Amazon DocumentDB database instances, perform the following actions:
Note: Before you configure your DocumentDB_database instances to use the new CA certificate, make sure that you update your applications connecting to your DocumentDB_databases to use the new CA certificate bundle.References
- AWS Documentation
- Security in Amazon DocumentDB
- Updating Your Amazon DocumentDB TLS Certificates
- Modifying an Amazon DocumentDB cluster
- AWS Command Line Interface (CLI) Documentation
- describe-db-clusters
- describe-db-instances
- describe-db-instances