AWS for Industries

Financial Services Spotlight: Featuring Amazon DocumentDB

In this edition of the Financial Services Industry (FSI) Services spotlight monthly blog series, we highlight five key considerations that FSI customers should focus on to help streamline cloud service approval for Amazon DocumentDB. Each of the five key considerations includes specific guidance, suggested reference architectures, and technical code teams can adopt to facilitate service approval for the featured service. Adopt this guidance to suit your particular use case and environment.

Amazon DocumentDB is a fully managed native JSON document database that makes it easy and cost effective to operate critical document workloads at virtually any scale without managing infrastructure. Amazon DocumentDB simplifies your architecture by providing built-in security best practices, continuous backups, and native integrations with other AWS services

Amazon DocumentDB is compatible with MongoDB 3.6, 4.0, and 5.0 API. A purpose-built, distributed, fault-tolerant, and self-healing storage system that gives customers the performance, scalability, and availability they need when operating mission-critical workloads at scale. The storage system automatically scales up to 128 TiB in Instance-based Clusters and 4 PiB in Amazon DocumentDB Elastic Clusters, with little to no impact on your application. Amazon DocumentDB can scale out to millions of requests per second with up to 15 read replicas without any application downtime, regardless of the size of your data.

figure 1_documentdb

Amazon DocumentDB use cases in the FSI

FINRA, a non-profit that safeguards investors and market integrity, chose Amazon DocumentDB to modernize data collection amid challenges. Before the migration, FINRA relied on a relational database that stored data in XML format. The limitations of this system are query performance and ongoing maintenance costs. Amazon DocumentDB has allowed FINRA to focus on its core mission of protecting investors and maintaining market integrity, and you can read FINRA’s case study for more details.

Atreyu Group is a brokerage firm that enables financial traders to execute trades quickly and reliably. The brokerage firm needed to reduce latency and improve the reliability of its trading system to serve its clients better. Amazon DocumentDB has empowered Atreyu Group to focus more on its core business, providing them with operational excellence and a competitive edge. You can review Atreyu Group’s case study for more details.

Khatabook, a leading digital ledger application in India, offers a platform that simplifies financial management for over 10 million monthly active users. One of the key technologies powering this success is Amazon DocumentDB. Khatabook can now automate scaling, improve resource utilization, and enhance reliability using Amazon DocumentDB.

CaptialOne has been a disrupter in the financial services industry since 1994, using technology to transform banking and payments. As part of their digital transformation journey, Capital One adopted several purpose-built AWS databases to help manage data at a large scale and accelerate innovation. With Amazon DocumentDB, their developers are able to move faster and focus more on innovating on behalf of customers versus managing a database. You can view the re:invent presentation for more details.

Achieving compliance with Amazon DocumentDB

Amazon DocumentDB is a managed service. Third-party auditors regularly assess its security and compliance as part of multiple AWS compliance programs. As part of the AWS shared responsibility model Amazon DocumentDB service is in the scope of the following compliance programs. You can obtain corresponding compliance reports under an AWS non-disclosure agreement (NDA) through AWS Artifact.

  • CCCS Medium
  • FINMA
  • HIPAA
  • HITRUST CSF
  • IRAP
  • ISMAP
  • ISO and CSA Start Certified
  • SOC 1,2,3
  • OSPAR
  • MTCS
  • PCI
  • Pinakes
  • PituKri

Your scope of the shared responsibility model when using Amazon DocumentDB is determined by the sensitivity of your data, your organization’s compliance objectives, and applicable laws and regulations. AWS provides several resources for compliance validation.

Data protection with Amazon DocumentDB

Data protection is the process of preventing critical information from being corrupted, compromised, or lost. Encryption is a recommended practice for ensuring the confidentiality and integrity of the data in transit and at rest.

Key Management

Amazon DocumentDB uses AWS Key Management Service (AWS KMS) to retrieve and manage encryption keys. AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using AWS KMS, you can create encryption keys and define the policies that control how these keys can be used. Your AWS KMS keys can be used in combination with Amazon DocumentDB and supported AWS services such as Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS) and Amazon Elastic Block Store (Amazon EBS).

Client-side field-level encryption

Amazon DocumentDB Client-Side Field Level Encryption (CSFLE) is a feature that allows you to encrypt sensitive data at the field level within your application before transferring it to an Amazon DocumentDB cluster. This feature adds a layer of security, ensuring that sensitive information like Social Security numbers, account details, or personal identification information is encrypted before it ever leaves your application. The encryption and decryption processes are entirely transparent to the application, and the keys used for encryption are managed securely through AWS KMS. Sensitive data remains encrypted when stored and processed in a cluster. For more information, see the client-side field-level encryption blog.

At-Rest Encryption

Amazon DocumentDB uses the 256-bit Advanced Encryption Standard (AES-256) to encrypt data using encryption keys stored in AWS KMS. When you create your cluster, you encrypt data at rest in the Amazon DocumentDB cluster by specifying the storage encryption option. Storage encryption is enabled cluster-wide and applied to all instances, including the primary and replicas. It also applies to your cluster’s storage volume, data, indexes, logs, automated backups, and snapshots. Amazon DocumentDB At-rest encryption can be enabled using AWS Console and AWS Command Line Interface (AWS CLI).

In Transit Encryption

Amazon DocumentDB enables encryption in transit by default for new clusters, and you can turn it off during or after the creation process. The best practice is using Transport Layer Security (TLS) to encrypt the connection between an application and an Amazon DocumentDB cluster. When encryption in transit is enabled, secure connections using TLS are required to connect to the cluster.

Isolation of compute environments with Amazon DocumentDB

Amazon DocumentDB is a managed service protected by AWS global network security. For

information about AWS security services and how AWS protects infrastructure, see AWS Cloud Security. When accessing Amazon DocumentDB, you use AWS published API. You can call these API operations from any network location. You can use Amazon DocumentDB policies to control access from specific Amazon Private Cloud(Amazon VPC) or specific VPCs, effectively isolating network access to a given Amazon DocumentDB resource with the AWS Network.

Automating audits with APIs with Amazon DocumentDB

You can audit Amazon DocumentDB events performed in your cluster. Examples of logged events include.

  • Successful and failed authentication attempts.
  • Creating and dropping a collection in a database.
  • Creating and dropping an index.
  • Creating and dropping a database

By default, auditing is disabled on Amazon DocumentDB and requires that you opt-in to use this feature. Here are more details on how to enable auditing Amazon DocumentDB Events.

Amazon DocumentDB auditing differs from AWS CloudTrail, which records operations performed via the AWS CLI or AWS Management Console. Amazon DocumentDB auditing focuses on operations within your cluster, such as the ability to audit Data Manipulation Language (DML) events and Data Definition Language (DDL). Amazon DocumentDB auditing allows you to monitor activities like reads, updates, inserts, and deletions and log them to Amazon CloudWatch. For more details on DML auditing, refer to Introducing DML auditing for Amazon DocumentDB.

Operational access and security

When working with Amazon DocumentDB, adhering to specific operational guidelines is imperative. These are essential for the seamless running of your operations. The Amazon DocumentDB Service Level Agreement requires you to follow these guidelines as deployment in Availability Zones, operate within the designated service limits, automate scaling, adjust your backup retention period to match your recovery point objective, and periodically test failover for your cluster.

The best practice of granting the least privilege to users, actions such as DeleteCluster, DeleteClusterSnapshot, UpdateCluster, UntagResource, etc., should be restricted via AWS IAM and logged and monitored via CloudWatch and CloudTrail logs AWS managed policies specific to DocumentDB. The details on actions defined by Amazon DocumentDB are in the Service Authorization Reference documentation. You can find the information about setting up IAM policies for Amazon DocumentDB in the Developer Guide documentation.

IAM users cannot access data in the database. Authorization and access control to data in Amazon DocumentDB is via SCRAM-SHA-1. Amazon DocumentDB offers a robust solution for these concerns through its Role-Based Access Control (RBAC) feature. Amazon DocumentDB’s RBAC allows you to restrict user actions on databases, thereby enhancing data security.

Conclusion

In this post, we reviewed Amazon DocumentDB and highlighted key information that can help FSI customers accelerate the approval of the service within these five categories:

  • Achieving compliance
  • Data protection
  • Isolation of compute environments
  • Automating audits with APIs
  • Operational access and security

While not a one-size-fits-all approach, you can adapt the guidance to meet your organization’s security and compliance requirements and provide a consolidated list of critical areas for Amazon DocumentDB.

In the meantime, make sure to visit our AWS Financial Services Industry blog channel and stay tuned for more FSI news and best practices.

Haider Naqvi

Haider Naqvi

Haider Naqvi is a Solutions Architect at AWS. He has extensive Software Development and Enterprise Architecture experience. He focuses on enabling customers re:Invent and achieve business outcome with AWS. He is based out of New York.

Bala KP

Bala KP

Bala KP is a Sr Partner Solutions Architect at Amazon Web Services. He helps global system integrator partners and customers in the financial services and insurance domain to move their most sensitive workloads to AWS.