Security Best Practices for Amazon DocumentDB - Amazon DocumentDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security Best Practices for Amazon DocumentDB

For security best practices, you must use Amazon Identity and Access Management (IAM) accounts to control access to Amazon DocumentDB API operations, especially operations that create, modify, or delete Amazon DocumentDB resources. Such resources include clusters, security groups, and parameter groups. You must also use IAM to control actions that perform common administrative actions such as backing up restoring clusters. When creating IAM roles, employ the principle of least privilege.

  • Enforce least privilege with role-based access control.

  • Assign an individual IAM account to each person who manages Amazon DocumentDB resources. Do not use the Amazon Web Services account root user to manage Amazon DocumentDB resources. Create an IAM user for everyone, including yourself.

  • Grant each user the minimum set of permissions that are required to perform their duties.

  • Use IAM groups to effectively manage permissions for multiple users. For more information about IAM, see the IAM User Guide. For information about IAM best practices, see IAM Best Practices.

  • Regularly rotate your IAM credentials.

  • Configure Amazon Secrets Manager to automatically rotate the secrets for Amazon DocumentDB. For more information, see Rotating Your Amazon Secrets Manager Secrets and Rotating Secrets for Amazon DocumentDB in the Amazon Secrets Manager User Guide.

  • Use Transport Layer Security (TLS) and encryption at rest to encrypt your data.