DocumentDB.4: DocumentDB clusters should export audit logs to CW

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub DocumentDB.4 check?

DocumentDB.4 checks whether a cluster publishes audit logs to Amazon CloudWatch Logs. It reports FAILED when the cluster isn't exporting the `audit` log type — auditing is disabled by default on a new cluster, so it records nothing until deliberately switched on.

Why does DocumentDB.4 matter?

Without an audit trail, the record of who authenticated, created a user, dropped a collection, or ran a query simply doesn't exist. Everything looks fine until an incident or an auditor asks 'who dropped that collection?' and the honest answer is 'we have no way to know.' It maps to NIST AU-2/AU-3/AU-12 and PCI DSS 10.3.3 — accountability controls where an event with no recorded actor effectively never happened.

How do I fix DocumentDB.4?

Create a custom cluster parameter group with the `audit_logs` parameter enabled and attach it to the cluster.
Enable the CloudWatch Logs export for the `audit` log type on the cluster.
Set log-group retention and consider DML filtering to control volume.
Make the audited configuration the default for new clusters so they arrive compliant.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Is DocumentDB.4 a false positive?

Enabling auditing is a two-step process — setting the `audit_logs` parameter alone, without also enabling the CloudWatch Logs export, means no logs ever reach CloudWatch and the control still fails even though it feels like auditing is on.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for DocumentDB controls ↗ Check your own account for DocumentDB.4 →

Part of the learning path Tighten your databases

DocumentDB.1 DocumentDB clusters should encrypt at rest
DocumentDB.2 DocumentDB adequate backup retention
DocumentDB.3 A DocumentDB manual snapshot is public
DocumentDB.5 DocumentDB clusters should have deletion protection
DocumentDB.6 DocumentDB clusters should encrypt in transit