Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Rotate SSL/TLS Certificates for DocumentDB Cluster Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the SSL/TLS certificates configured for your Amazon DocumentDB (with MongoDB compatibility) database instances are replaced every few years as part of AWS cloud standard maintenance and security discipline.

This rule can help you work with the AWS Well-Architected Framework.

Security

To maintain Amazon DocumentDB database security and avoid interruption of your DocumentDB applications, rotate the required SSL/TLS certificates and update the deprecated Certificate Authority (CA) certificates at the DocumentDB instance level.


Audit

To determine if the Certificate Authority (CA) certificates configured your Amazon DocumentDB database instances are outdated, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database instance that you want to examine, listed under the DocumentDB cluster, in the Cluster identifier column.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Details section, check the Certificate authority attribute value to determine if the configured CA certificate is outdated. If the Certificate authority value is set to rds-ca-2015, the Certificate Authority (CA) certificate configured for the selected Amazon DocumentDB database instance is outdated and needs to be changed (rotated).

07 Repeat steps no. 4 – 6 for each database instance running within the selected DocumentDB cluster.

08 Repeat steps no. 4 – 7 for each DocumentDB database cluster available in the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Rundescribe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB database clusters available within the selected AWS region:

aws docdb describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names:

---------------------------
|   DescribeDBClusters    |
+-------------------------+
|  cc-prod-docdb-cluster  |
|  cc-test-docdb-cluster  |
+-------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB database cluster that you want to examine as identifier parameter and custom query filters to describe the CA certificate version for each database instance running within the selected cluster:

aws docdb describe-db-instances
  --region us-east-1
  --filters Name=db-cluster-id,Values=cc-prod-docdb-cluster
  --query 'DBInstances[*].{CertificateVersion:CACertificateIdentifier,InstanceID:DBInstanceIdentifier}'

04 The command output should return the name of each running database instance and the version of the associated CA certificate:

[
	{
		"InstanceID": "cc-prod-docdb-cluster-001",
		"CertificateVersion": "rds-ca-2015"
	}
]

Check the "CertificateVersion" attribute value listed for each database instance to determine the CA certificate validity. If the "CertificateVersion" value is set to "rds-ca-2015", the Certificate Authority (CA) certificate configured for the specified Amazon DocumentDB database instance is outdated and needs to be rotated.

05 Repeat steps no. 3 and 4 for each DocumentDB database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To rotate Certificate Authority (CA) certificates configured for your Amazon DocumentDB database instances, perform the following actions:

Note: Before you configure your DocumentDB_database instances to use the new CA certificate, make sure that you update your applications connecting to your DocumentDB_databases to use the new CA certificate bundle.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database instance that you want to reconfigure, listed under the DocumentDB cluster, in the Cluster identifier column.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Detailssection choose Modify to modify the configuration settings available for the selected instance.

07 Select the new Certificate Authority (CA) certificate from the Certificate authority dropdown list to replace the outdated CA certificate.

08 Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.

09 In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application.
  3. Choose Modify instance to apply the configuration changes.

10 Repeat steps no. 4 – 9 for each database instance running within the selected DocumentDB cluster.

11 Repeat steps no. 4 – 10 for each DocumentDB database cluster available in the current AWS region.

12 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) to replace (rotate) the Certificate Authority (CA) certificate configured for the selected Amazon DocumentDB database instance. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application. If you skip adding the --apply-immediately parameter to the command request, Amazon DocumentDB will apply your changes during the next maintenance window:

aws docdb modify-db-instance
  --region us-east-1
  --db-instance-identifier cc-prod-docdb-cluster-001
  --ca-certificate-identifier "rds-ca-2019"
  --apply-immediately

02 The command output should return the configuration information available for the modified database instance:

{
	"DBInstance": {
		"DBInstanceIdentifier": "cc-prod-docdb-cluster-001",
		"DBInstanceClass": "db.t3.medium",
		"Engine": "docdb",
		"DBInstanceStatus": "available",
		"MasterUsername": "awsmanager",
		"Endpoint": {
			"Address": "cc-prod-docdb-cluster.abcd1234abcd.us-east-1.docdb.amazonaws.com",
			"Port": 27017,
			"HostedZoneId": "ABCDABCDABCD"
		},

		...

		"AllocatedStorage": 50,
		"InstanceCreateTime": "2022-10-19T05:48:55.499000+00:00",
		"PreferredBackupWindow": "00:00-00:30",
		"BackupRetentionPeriod": 7,
		"DeletionProtection": false,
		"AssociatedRoles": [],
		"CustomerOwnedIpEnabled": false,
		"BackupTarget": "region",
		"NetworkType": "IPV4"
	}
}

03 Repeat steps no. 1 and 2 for each database instance running within the selected DocumentDB cluster.

04 Repeat steps no. 1 – 3 for each DocumentDB database cluster available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References