Amazon DocumentDB (with MongoDB compatibility) - AWS GovCloud (US)

Amazon DocumentDB (with MongoDB compatibility)

Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads. As a document database, Amazon DocumentDB makes it easy to store, query, and index JSON data.

Amazon DocumentDB is a non-relational database service designed from the ground-up to give you the performance, scalability, and availability you need when operating mission-critical MongoDB workloads at scale. In Amazon DocumentDB, the storage and compute are decoupled, allowing each to scale independently. You can increase the read capacity to millions of requests per second by adding up to 15 low latency read replicas in minutes, regardless of the size of your data.

How Amazon DocumentDB Differs for AWS GovCloud (US)

  • Copying cluster snapshots from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other regions is not supported.

Documentation for Amazon DocumentDB

Amazon DocumentDB documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
Amazon DocumentDB master passwords are protected as ITAR-regulated data. All data stored and processed in Amazon DocumentDB database collections can contain ITAR-regulated data. You cannot transfer ITAR- regulated data in and out of your Amazon DocumentDB cluster using the API or CLI. You must use database tools for data transfer of ITAR-regulated data.

Amazon DocumentDB metadata is not permitted to contain ITAR-regulated data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon DocumentDB cluster except the master password.

Do not enter ITAR-regulated data in the following fields:

  • Cluster Identifier

  • Instance identifier

  • Master user name

  • Database name

  • Snapshot name

  • Security group name

  • Security group description

  • Cluster parameter group name

  • Cluster parameter group description

  • Subnet group name

  • Subnet group description

  • Resource tags

If you are processing ITAR-regulated data with Amazon DocumentDB, follow these guidelines in order to maintain ITAR compliance:

  • When you use the console or the AWS APIs, the only data field that is protected as ITAR-regulated data is the Amazon DocumentDB Master Password.

  • After you create your cluster, change the master password of your Amazon DocumentDB cluster by directly using the AWS Management Console or AWS CLI.

  • You can enter ITAR-regulated data into any data fields by using your database client-side tools. Do not pass ITAR-regulated data by using the web service APIs that are provided by Amazon DocumentDB.

  • To secure ITAR-regulated data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.

    • For example, if you're running an application server on an Amazon EC2 instance that connects to an Amazon DocumentDB cluster, a non-U.S. person could reconfigure the DNS to redirect ITAR-regulated data out of the VPC and into any server that might be outside of the AWS GovCloud (US-West) Region.

      To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see Network ACLs in the Amazon VPC User Guide.

    • For each database instance that contains ITAR-regulated data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the cluster, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US-West) Region or other ITAR-controlled environments to ITAR-controlled clusters.

If you are processing ITAR-regulated data with this service, use the SSL (HTTPS) endpoint to maintain ITAR compliance. For a list of endpoints, see Service Endpoints.