aquasecurity · SyedKhizerAli · Nov 27, 2025 · Nov 28, 2025
diff --git a/exports.js b/exports.js
@@ -656,6 +656,7 @@ module.exports = {
         'docdbClusterBackupRetention'   : require(__dirname + '/plugins/aws/documentDB/docdbClusterBackupRetention.js'),
         'docdbCertificateRotated'       : require(__dirname + '/plugins/aws/documentDB/docdbCertificateRotated.js'),
         'docdbClusterProfilerEnabled'   : require(__dirname + '/plugins/aws/documentDB/docdbClusterProfilerEnabled.js'),
+        'docdbAuditLoggingEnabled'      : require(__dirname + '/plugins/aws/documentDB/docdbAuditLoggingEnabled.js'),
 
         'instanceMediaStreamsEncrypted' : require(__dirname + '/plugins/aws/connect/instanceMediaStreamsEncrypted.js'),
         'instanceTranscriptsEncrypted'  : require(__dirname + '/plugins/aws/connect/instanceTranscriptsEncrypted.js'),

diff --git a/plugins/aws/documentDB/docdbAuditLoggingEnabled.js b/plugins/aws/documentDB/docdbAuditLoggingEnabled.js
@@ -0,0 +1,57 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'DocumentDB Audit Logging Enabled',
+    category: 'DocumentDB',
+    domain: 'Databases',
+    severity: 'Medium',
+    description: 'Ensure that audit logging is enabled for DocumentDB clusters ',
+    more_info: 'Audit logging in Amazon DocumentDB provides visibility into authentication events, queries, and data changes. It helps detect unauthorized access, supports troubleshooting, and meets compliance requirements. Logs should be sent to CloudWatch or a SIEM for centralized monitoring and alerting.',
+    recommended_action: 'Modify DocumentDB cluster and enable audit logging feature.',
+    link: 'https://docs.aws.amazon.com/documentdb/latest/developerguide/profiling.html',
+    apis: ['DocDB:describeDBClusters'],
+    realtime_triggers: ['docdb:CreateDBCluster','docdb:ModifyDBCluster','docdb:DeleteDBCluster'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        async.each(regions.docdb, function(region, rcb){
+            var describeDBClusters = helpers.addSource(cache, source,
+                ['docdb', 'describeDBClusters', region]);
+
+            if (!describeDBClusters) return rcb();
+
+            if (describeDBClusters.err || !describeDBClusters.data) {
+                helpers.addResult(results, 3,
+                    `Unable to list DocumentDB clusters: ${helpers.addError(describeDBClusters)}`, region);
+                return rcb();
+            }
+
+            if (!describeDBClusters.data.length) {
+                helpers.addResult(results, 0,
+                    'No DocumentDB clusters found', region);
+                return rcb();
+            }
+
+            for (let cluster of describeDBClusters.data) {
+                if (!cluster.DBClusterArn) continue;
+
+                if (cluster.EnabledCloudwatchLogsExports &&
+                    cluster.EnabledCloudwatchLogsExports.length &&
+                    cluster.EnabledCloudwatchLogsExports.includes('audit')) {
+                    helpers.addResult(results, 0, 'DocumentDB cluster has audit logging enabled', region, cluster.DBClusterArn);
+                } else {
+                    helpers.addResult(results, 2, 'DocumentDB cluster does not have audit logging enabled', region, cluster.DBClusterArn);
+                }
+            }
+
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};
+
diff --git a/plugins/aws/documentDB/docdbAuditLoggingEnabled.spec.js b/plugins/aws/documentDB/docdbAuditLoggingEnabled.spec.js
@@ -0,0 +1,111 @@
+var expect = require('chai').expect;
+var docdbAuditLoggingEnabled = require('./docdbAuditLoggingEnabled');
+
+const describeDBClusters = [
+    {
+      AvailabilityZones: [],
+      BackupRetentionPeriod: 1,
+      DBClusterArn: 'arn:aws:rds:us-east-1:000011112222:cluster:docdb-2021-11-10-10-16-10',
+      DBClusterIdentifier: 'docdb-2021-11-10-10-16-10',
+      DBClusterParameterGroup: 'default.docdb4.0',
+      DBSubnetGroup: 'default-vpc-99de2fe4',
+      Status: 'available',
+      DeletionProtection: true,
+      EnabledCloudwatchLogsExports: [ "audit", "profiler"]
+    },
+    {
+      AvailabilityZones: [],
+      BackupRetentionPeriod: 10,
+      DBClusterArn: 'arn:aws:rds:us-east-1:000011112223:cluster:docdb-2021-11-10-10-16-10',
+      DBClusterIdentifier: 'docdb-2021-11-10-10-16-10',
+      DBClusterParameterGroup: 'default.docdb4.0',
+      DBSubnetGroup: 'default-vpc-99de2fe4',
+      Status: 'available',
+      DeletionProtection: false,
+      EnabledCloudwatchLogsExports: [ "profiler"]
+    },
+    {
+      AvailabilityZones: [],
+      BackupRetentionPeriod: 10,
+      DBClusterArn: 'arn:aws:rds:us-east-1:000011112224:cluster:docdb-2021-11-10-10-16-10',
+      DBClusterIdentifier: 'docdb-2021-11-10-10-16-10',
+      DBClusterParameterGroup: 'default.docdb4.0',
+      DBSubnetGroup: 'default-vpc-99de2fe4',
+      Status: 'available',
+      DeletionProtection: false,
+      EnabledCloudwatchLogsExports: []
+    }
+];
+
+const createCache = (clusters, clustersErr) => {
+    return {
+        docdb: {
+            describeDBClusters: {
+                'us-east-1': {
+                    err: clustersErr,
+                    data: clusters
+                },
+            },
+        }
+    };
+};
+
+describe('docdbAuditLoggingEnabled', function () {
+    describe('run', function () {
+        it('should PASS if DocumentDB Cluster has audit logging enabled', function (done) {
+            const cache = createCache([describeDBClusters[0]]);
+            docdbAuditLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('DocumentDB cluster has audit logging enabled');
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should FAIL if DocumentDB Cluster does not have audit logging enabled', function (done) {
+            const cache = createCache([describeDBClusters[1]]);
+            docdbAuditLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('DocumentDB cluster does not have audit logging enabled');
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should FAIL if DocumentDB Cluster has empty EnabledCloudwatchLogsExports', function (done) {
+            const cache = createCache([describeDBClusters[2]]);
+            docdbAuditLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('DocumentDB cluster does not have audit logging enabled');
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should PASS if no DocumentDB Clusters found', function (done) {
+            const cache = createCache([]);
+            docdbAuditLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No DocumentDB clusters found');
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should UNKNOWN if unable to list DocumentDB Clusters', function (done) {
+            const cache = createCache(null,  { message: "Unable to list DocumentDB Clusters" });
+            docdbAuditLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to list DocumentDB clusters:');
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+    });
+});
+