DocumentDB.3: A DocumentDB manual snapshot is public

What does AWS Security Hub DocumentDB.3 check?

DocumentDB.3 checks the sharing setting on manual DocumentDB cluster snapshots. It reports FAILED when a manual snapshot's `restore` attribute is set to the special value `all`, which marks the snapshot public — visible to, and restorable by, every AWS account.

Why does DocumentDB.3 matter?

Public here is literal: every AWS account on the planet can see the snapshot and, if it's unencrypted, restore a complete working copy of your database — every document, every customer record — into their own account, with no password, allow-list, or network boundary in front of it. It's rated Critical because the blast radius is total and the mistake is easy: a fat-fingered `all` instead of an account ID when sharing with a partner.

How do I fix DocumentDB.3?

1. Revoke public access immediately by removing `all` from the snapshot's restore attribute.
2. Establish the exposure window from CloudTrail and assess whether the data was actually pulled.
3. Inventory every account and region for other public manual snapshots.
4. Deploy a guardrail (SCP or Config rule) so no snapshot can be made public by accident again.

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing