Rotate SSL/TLS Certificates for DocumentDB Cluster Instances

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database instance that you want to examine, listed under the DocumentDB cluster, in the Cluster identifier column.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Details section, check the Certificate authority attribute value to determine if the configured CA certificate is outdated. If the Certificate authority value is set to rds-ca-2015, the Certificate Authority (CA) certificate configured for the selected Amazon DocumentDB database instance is outdated and needs to be changed (rotated).

07 Repeat steps no. 4 – 6 for each database instance running within the selected DocumentDB cluster.

08 Repeat steps no. 4 – 7 for each DocumentDB database cluster available in the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

01 Rundescribe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB database clusters available within the selected AWS region:

aws docdb describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names:

---------------------------
|   DescribeDBClusters    |
+-------------------------+
|  cc-prod-docdb-cluster  |
|  cc-test-docdb-cluster  |
+-------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB database cluster that you want to examine as identifier parameter and custom query filters to describe the CA certificate version for each database instance running within the selected cluster:

aws docdb describe-db-instances
  --region us-east-1
  --filters Name=db-cluster-id,Values=cc-prod-docdb-cluster
  --query 'DBInstances[*].{CertificateVersion:CACertificateIdentifier,InstanceID:DBInstanceIdentifier}'

04 The command output should return the name of each running database instance and the version of the associated CA certificate:

[
	{
		"InstanceID": "cc-prod-docdb-cluster-001",
		"CertificateVersion": "rds-ca-2015"
	}
]

05 Repeat steps no. 3 and 4 for each DocumentDB database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database instance that you want to reconfigure, listed under the DocumentDB cluster, in the Cluster identifier column.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Detailssection choose Modify to modify the configuration settings available for the selected instance.

07 Select the new Certificate Authority (CA) certificate from the Certificate authority dropdown list to replace the outdated CA certificate.

08 Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.

09 In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:

1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application.
3. Choose Modify instance to apply the configuration changes.

10 Repeat steps no. 4 – 9 for each database instance running within the selected DocumentDB cluster.

11 Repeat steps no. 4 – 10 for each DocumentDB database cluster available in the current AWS region.

12 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

01 Run modify-db-instance command (OSX/Linux/UNIX) to replace (rotate) the Certificate Authority (CA) certificate configured for the selected Amazon DocumentDB database instance. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application. If you skip adding the --apply-immediately parameter to the command request, Amazon DocumentDB will apply your changes during the next maintenance window:

aws docdb modify-db-instance
  --region us-east-1
  --db-instance-identifier cc-prod-docdb-cluster-001
  --ca-certificate-identifier "rds-ca-2019"
  --apply-immediately

02 The command output should return the configuration information available for the modified database instance:

{
	"DBInstance": {
		"DBInstanceIdentifier": "cc-prod-docdb-cluster-001",
		"DBInstanceClass": "db.t3.medium",
		"Engine": "docdb",
		"DBInstanceStatus": "available",
		"MasterUsername": "awsmanager",
		"Endpoint": {
			"Address": "cc-prod-docdb-cluster.abcd1234abcd.us-east-1.docdb.amazonaws.com",
			"Port": 27017,
			"HostedZoneId": "ABCDABCDABCD"
		},

		...

		"AllocatedStorage": 50,
		"InstanceCreateTime": "2022-10-19T05:48:55.499000+00:00",
		"PreferredBackupWindow": "00:00-00:30",
		"BackupRetentionPeriod": 7,
		"DeletionProtection": false,
		"AssociatedRoles": [],
		"CustomerOwnedIpEnabled": false,
		"BackupTarget": "region",
		"NetworkType": "IPV4"
	}
}

03 Repeat steps no. 1 and 2 for each database instance running within the selected DocumentDB cluster.

04 Repeat steps no. 1 – 3 for each DocumentDB database cluster available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.