Description

Identifies AWS DocumentDB clusters that have audit logging disabled. DocumentDB audit logs are critical for security monitoring as they record database activities, user access, and modifications. Disabled audit logging creates compliance risks and makes it harder to detect suspicious activities.

Detection Strategy

• Scans all DocumentDB clusters in the specified AWS region

• Examines each cluster's parameter group settings, specifically checking the 'audit_logs' parameter

• Reports a vulnerability if a cluster's audit_logs parameter is explicitly set to 'disabled'

• Each vulnerability includes the cluster's ARN and the parameter group name where audit logging is disabled