DocumentDB.6: DocumentDB clusters should encrypt in transit

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub DocumentDB.6 check?

DocumentDB.6 checks whether a cluster requires TLS for every connection. It reports FAILED when the cluster parameter group has the `tls` parameter set to `disabled`, or when the parameter group is out of sync with the cluster. The TLS-requiring values are `tls1.2+`, `tls1.3+`, and `fips-140-3`.

Why does DocumentDB.6 matter?

In-transit encryption is the difference between a query readable by anything sniffing the network and one that isn't. Encryption at rest (DocumentDB.1) protects the bytes on disk; TLS protects the same bytes while they move between the application and the database. A cluster can be perfectly encrypted at rest and still leak every credential and record over an unencrypted wire, which is exactly the gap this control closes.

How do I fix DocumentDB.6?

Confirm all clients are TLS-capable before changing the server side.
Set the `tls` parameter in the cluster parameter group to a TLS-requiring value.
Reboot the cluster instances to apply the parameter change.
Make the hardened parameter group the provisioning default so it doesn't recur.

Remediation script · bash

# Find the highest-impact plaintext-permitting stores across engines.
aws rds describe-db-instances \
  --query 'DBInstances[].DBInstanceIdentifier' --output text
aws elasticache describe-replication-groups \
  --query 'ReplicationGroups[?TransitEncryptionEnabled==`false`].ReplicationGroupId' \
  --output text

# RDS for PostgreSQL: require TLS via rds.force_ssl (static -> needs a reboot).
PG=$(aws rds describe-db-instances --db-instance-identifier prod-orders-pg \
  --query 'DBInstances[].DBParameterGroups[].DBParameterGroupName' --output text)
aws rds modify-db-parameter-group --db-parameter-group-name "$PG" \
  --parameters 'ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot'
aws rds reboot-db-instance --db-instance-identifier prod-orders-pg

# Redshift: require_ssl on a custom cluster parameter group, then reboot.
aws redshift modify-cluster-parameter-group --parameter-group-name analytics-tls \
  --parameters ParameterName=require_ssl,ParameterValue=true
aws redshift reboot-cluster --cluster-identifier analytics-prod

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on database and cache connections.

Is DocumentDB.6 a false positive?

The setting lives in the cluster parameter group, not on the cluster — editing the parameter without rebooting (or leaving the group out of sync with the cluster) keeps the control FAILED even though the parameter looks correct.

Full lesson Enforce TLS on database and cache connections Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for DocumentDB controls ↗ Check your own account for DocumentDB.6 →

Part of the learning path Encrypt everything

DocumentDB.1 DocumentDB clusters should encrypt at rest
DocumentDB.2 DocumentDB adequate backup retention
DocumentDB.3 A DocumentDB manual snapshot is public
DocumentDB.4 DocumentDB clusters should export audit logs to CW
DocumentDB.5 DocumentDB clusters should have deletion protection