Amazon CloudWatch logs provide enhanced monitoring. For analysis of query performance and application fine-tuning, you can use Performance Insights for Amazon DocumentDB to identify hot queries and hosts. Additionally, you can use Amazon DocumentDB audit logging to log all queries or use its profiler to log queries exceeding a specified duration. All these services and features are natively integrated with Amazon DocumentDB and help you identify performance bottlenecks and gain visibility for troubleshooting problems. You can also configure them to alert you about specific events.

Read the Operational Excellence whitepaper 

Amazon DocumentDB and OpenSearch Service support encryption at rest and TLS for data in transit. The VPC enables network isolation of these services, providing fine-grained and role-based access control through AWS Identity and Access Management (IAM) roles as well as firewall options. You can scope IAM policies to the minimum required permissions to limit unauthorized access to resources. You can also selectively encrypt sensitive data in applications by using Client-Side Field Level Encryption (CS-FLE), which uses AWS Key Management Service (AWS KMS). Finally, you can store secrets in Secrets Manager so that you don’t have to hardcode credentials in applications. Access to the secrets is audited, and we recommend enabling automatic rotation of secrets to enhance security, enabling the transition from permanent credentials to temporary ones.

This Guidance deploys Amazon DocumentDB across three Availability Zones (AZs) to provide reliable operations, and failovers to an existing replica complete in less than 30 seconds. The database backup capability provides point-in-time recovery for clusters, enabling restoration to any second during the retention period, up until the last five minutes. You can also use AWS Backup to centralize backup governance. Additionally, you can configure OpenSearch Service as a multi-AZ cluster for high availability and automatic failovers, and the Amazon OpenSearch Serverless option lets you run petabyte-scale workloads without configuring, managing, and scaling OpenSearch clusters.

You can use Performance Insights for Amazon DocumentDB to analyze query performance, fine-tune applications, and identify hot queries and hosts. You can also configure alerts and alarms within CloudWatch and use this service to monitor resource consumption. Monitoring resource consumption helps you decide whether to scale the cluster horizontally or vertically for Amazon DocumentDB and OpenSearch Service.

Amazon DocumentDB offers per-second billing for compute, free or reduced monthly backup storage costs, and no-cost encryption capabilities and monitoring. Additionally, its flexibility with JSON document storage enables agility with data model changes. CloudWatch helps you monitor resource consumption and align the scaling activities of Amazon DocumentDB and OpenSearch Service, which can scale cluster capacity in and out without overprovisioning infrastructure.

Amazon DocumentDB and OpenSearch Service provide horizontal scalability, enabling you to reduce the use and energy of unnecessary hardware. This Guidance also uses instances powered by AWS Graviton processors, which provide a 30 percent energy reduction and are more sustainable.