DMS MongoDB Endpoint Has Authentication Mechanism Enabled
Overview
This check verifies that AWS Database Migration Service (DMS) MongoDB endpoints have authentication enabled. Specifically, it ensures the AuthType setting is not "no" (e.g., set to "password") and includes an appropriate authentication mechanism like scram_sha_1 or mongodb_cr.
Authentication ensures that only authorized users can access your MongoDB data during migration operations.
Risk
Without authentication, any connection to your MongoDB endpoint can access the data being migrated. This creates several risks:
- Data exposure: Attackers could read sensitive documents during migration
- Data manipulation: Unauthorized parties could modify or inject malicious data
- Change Data Capture (CDC) hijacking: Adversaries could intercept ongoing replication streams
- Data exfiltration: Records could be stolen during the migration process
This could result in data breaches, compliance violations, and corruption of migrated data.
Remediation Steps
Prerequisites
- AWS Console access with permissions to modify DMS endpoints
- MongoDB database credentials (username and password)
Required IAM permissions
To modify DMS endpoints, you need these permissions:
dms:ModifyEndpointdms:DescribeEndpointssecretsmanager:GetSecretValue(if using Secrets Manager)secretsmanager:CreateSecret(if creating new secrets)iam:PassRole(if using Secrets Manager integration)
AWS Console Method
- Open the AWS DMS console
- Click Endpoints in the left navigation
- Select the MongoDB endpoint you need to update
- Click Modify
- Scroll to the Endpoint settings section
- Under Authentication mode, select Password
- Enter the Username for your MongoDB database
- Enter the Password (or configure Secrets Manager - see below)
- Optionally, under Extra connection attributes, add the authentication mechanism:
- For MongoDB 3.x+:
authMechanism=SCRAM-SHA-1 - For MongoDB 2.x:
authMechanism=MONGODB-CR
- For MongoDB 3.x+:
- Click Save changes
Using AWS Secrets Manager (recommended):
- In the Endpoint settings section, select Use AWS Secrets Manager
- Choose an existing secret or create a new one containing:
username: Your MongoDB usernamepassword: Your MongoDB password
- Select the IAM role that has permission to access the secret
- Click Save changes
AWS CLI (optional)
Modify an existing endpoint to enable authentication:
aws dms modify-endpoint \
--endpoint-arn arn:aws:dms:us-east-1:<account-id>:endpoint:<endpoint-id> \
--mongo-db-settings '{
"AuthType": "password",
"AuthMechanism": "scram_sha_1",
"Username": "<mongodb-username>",
"Password": "<mongodb-password>",
"AuthSource": "admin"
}' \
--region us-east-1
Using Secrets Manager (recommended):
First, create a secret:
aws secretsmanager create-secret \
--name dms/mongodb-endpoint-credentials \
--secret-string '{"username":"<mongodb-username>","password":"<mongodb-password>"}' \
--region us-east-1
Then modify the endpoint to use the secret:
aws dms modify-endpoint \
--endpoint-arn arn:aws:dms:us-east-1:<account-id>:endpoint:<endpoint-id> \
--mongo-db-settings '{
"AuthType": "password",
"AuthMechanism": "scram_sha_1",
"AuthSource": "admin",
"SecretsManagerAccessRoleArn": "arn:aws:iam::<account-id>:role/<dms-secrets-role>",
"SecretsManagerSecretId": "arn:aws:secretsmanager:us-east-1:<account-id>:secret:dms/mongodb-endpoint-credentials-<suffix>"
}' \
--region us-east-1
View current endpoint configuration:
aws dms describe-endpoints \
--filters "Name=endpoint-arn,Values=arn:aws:dms:us-east-1:<account-id>:endpoint:<endpoint-id>" \
--query 'Endpoints[0].MongoDbSettings' \
--region us-east-1
Replace:
<account-id>with your 12-digit AWS account ID<endpoint-id>with your DMS endpoint identifier<mongodb-username>and<mongodb-password>with your credentials<dms-secrets-role>with your IAM role for Secrets Manager access<suffix>with the auto-generated secret suffix
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: DMS MongoDB endpoint with authentication enabled
Parameters:
EndpointIdentifier:
Type: String
Description: Identifier for the DMS endpoint
Default: mongodb-source-endpoint
MongoDbServerName:
Type: String
Description: MongoDB server hostname or IP address
MongoDbPort:
Type: Number
Description: MongoDB server port
Default: 27017
MongoDbDatabaseName:
Type: String
Description: MongoDB database name
Default: admin
MongoDbUsername:
Type: String
Description: MongoDB username
NoEcho: true
MongoDbPassword:
Type: String
Description: MongoDB password
NoEcho: true
MinLength: 8
AuthMechanism:
Type: String
Description: MongoDB authentication mechanism
Default: scram_sha_1
AllowedValues:
- scram_sha_1
- mongodb_cr
- default
Resources:
MongoDbCredentialsSecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub 'dms/${EndpointIdentifier}-credentials'
Description: Credentials for DMS MongoDB endpoint
SecretString: !Sub |
{
"username": "${MongoDbUsername}",
"password": "${MongoDbPassword}"
}
DMSSecretsAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub 'dms-secrets-access-${EndpointIdentifier}'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: dms.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: SecretsManagerAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource: !Ref MongoDbCredentialsSecret
DMSMongoDbEndpoint:
Type: AWS::DMS::Endpoint
Properties:
EndpointIdentifier: !Ref EndpointIdentifier
EndpointType: source
EngineName: mongodb
ServerName: !Ref MongoDbServerName
Port: !Ref MongoDbPort
DatabaseName: !Ref MongoDbDatabaseName
MongoDbSettings:
AuthType: password
AuthMechanism: !Ref AuthMechanism
AuthSource: admin
SecretsManagerAccessRoleArn: !GetAtt DMSSecretsAccessRole.Arn
SecretsManagerSecretId: !Ref MongoDbCredentialsSecret
SslMode: require
Tags:
- Key: Name
Value: !Ref EndpointIdentifier
Outputs:
EndpointArn:
Description: ARN of the DMS MongoDB endpoint
Value: !Ref DMSMongoDbEndpoint
SecretArn:
Description: ARN of the Secrets Manager secret
Value: !Ref MongoDbCredentialsSecret
Deploy with:
aws cloudformation deploy \
--template-file dms-mongodb-endpoint.yaml \
--stack-name dms-mongodb-authenticated \
--parameter-overrides \
EndpointIdentifier=mongodb-source \
MongoDbServerName=mongodb.example.com \
MongoDbDatabaseName=mydb \
MongoDbUsername=dmsuser \
MongoDbPassword=SecurePassword123 \
--capabilities CAPABILITY_NAMED_IAM \
--region us-east-1
Terraform (optional)
# variables.tf
variable "endpoint_identifier" {
description = "Identifier for the DMS endpoint"
type = string
default = "mongodb-source-endpoint"
}
variable "mongodb_server_name" {
description = "MongoDB server hostname or IP address"
type = string
}
variable "mongodb_port" {
description = "MongoDB server port"
type = number
default = 27017
}
variable "mongodb_database_name" {
description = "MongoDB database name"
type = string
default = "admin"
}
variable "mongodb_username" {
description = "MongoDB username"
type = string
sensitive = true
}
variable "mongodb_password" {
description = "MongoDB password"
type = string
sensitive = true
}
variable "auth_mechanism" {
description = "MongoDB authentication mechanism"
type = string
default = "scram_sha_1"
validation {
condition = contains(["scram_sha_1", "mongodb_cr", "default"], var.auth_mechanism)
error_message = "auth_mechanism must be one of: scram_sha_1, mongodb_cr, default"
}
}
variable "use_secrets_manager" {
description = "Use Secrets Manager instead of inline credentials"
type = bool
default = true
}
# main.tf
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "aws_secretsmanager_secret" "mongodb_credentials" {
count = var.use_secrets_manager ? 1 : 0
name = "dms/${var.endpoint_identifier}-credentials"
description = "Credentials for DMS MongoDB endpoint"
}
resource "aws_secretsmanager_secret_version" "mongodb_credentials" {
count = var.use_secrets_manager ? 1 : 0
secret_id = aws_secretsmanager_secret.mongodb_credentials[0].id
secret_string = jsonencode({
username = var.mongodb_username
password = var.mongodb_password
})
}
resource "aws_iam_role" "dms_secrets_access" {
count = var.use_secrets_manager ? 1 : 0
name = "dms-secrets-access-${var.endpoint_identifier}"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "dms.amazonaws.com"
}
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy" "dms_secrets_access" {
count = var.use_secrets_manager ? 1 : 0
name = "SecretsManagerAccess"
role = aws_iam_role.dms_secrets_access[0].id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["secretsmanager:GetSecretValue"]
Resource = aws_secretsmanager_secret.mongodb_credentials[0].arn
}
]
})
}
# Endpoint with Secrets Manager (recommended)
resource "aws_dms_endpoint" "mongodb_with_secrets" {
count = var.use_secrets_manager ? 1 : 0
endpoint_id = var.endpoint_identifier
endpoint_type = "source"
engine_name = "mongodb"
server_name = var.mongodb_server_name
port = var.mongodb_port
database_name = var.mongodb_database_name
ssl_mode = "require"
# Secrets Manager credentials (top-level, not in mongodb_settings)
secrets_manager_access_role_arn = aws_iam_role.dms_secrets_access[0].arn
secrets_manager_arn = aws_secretsmanager_secret.mongodb_credentials[0].arn
mongodb_settings {
auth_type = "password"
auth_mechanism = var.auth_mechanism
auth_source = "admin"
}
tags = {
Name = var.endpoint_identifier
}
}
# Endpoint with inline credentials (not recommended)
resource "aws_dms_endpoint" "mongodb_inline" {
count = var.use_secrets_manager ? 0 : 1
endpoint_id = var.endpoint_identifier
endpoint_type = "source"
engine_name = "mongodb"
server_name = var.mongodb_server_name
port = var.mongodb_port
database_name = var.mongodb_database_name
username = var.mongodb_username
password = var.mongodb_password
ssl_mode = "require"
mongodb_settings {
auth_type = "password"
auth_mechanism = var.auth_mechanism
auth_source = "admin"
}
tags = {
Name = var.endpoint_identifier
}
}
# outputs.tf
output "endpoint_arn" {
description = "ARN of the DMS MongoDB endpoint"
value = var.use_secrets_manager ? aws_dms_endpoint.mongodb_with_secrets[0].endpoint_arn : aws_dms_endpoint.mongodb_inline[0].endpoint_arn
}
output "secret_arn" {
description = "ARN of the Secrets Manager secret (if enabled)"
value = var.use_secrets_manager ? aws_secretsmanager_secret.mongodb_credentials[0].arn : null
}
Deploy with:
terraform init
terraform apply \
-var="endpoint_identifier=mongodb-source" \
-var="mongodb_server_name=mongodb.example.com" \
-var="mongodb_username=dmsuser" \
-var="mongodb_password=SecurePassword123"
Verification
After enabling authentication on your endpoint, verify the configuration:
- Open the AWS DMS console
- Click Endpoints and select your MongoDB endpoint
- In the Endpoint details section, confirm:
- Authentication mode shows Password (not "No")
- Username is populated
- If using Secrets Manager: Secrets Manager secret ARN is displayed
CLI verification
Check the endpoint authentication settings:
aws dms describe-endpoints \
--filters "Name=engine-name,Values=mongodb" \
--query 'Endpoints[*].{EndpointID:EndpointIdentifier,AuthType:MongoDbSettings.AuthType,AuthMechanism:MongoDbSettings.AuthMechanism,Username:MongoDbSettings.Username}' \
--output table \
--region us-east-1
Expected output for an authenticated endpoint:
-------------------------------------------------------------------
| DescribeEndpoints |
+------------------+------------+-----------------+---------------+
| AuthMechanism | AuthType | EndpointID | Username |
+------------------+------------+-----------------+---------------+
| scram_sha_1 | password | mongodb-source | dmsuser |
+------------------+------------+-----------------+---------------+
Test the endpoint connection:
aws dms test-connection \
--replication-instance-arn arn:aws:dms:us-east-1:<account-id>:rep:<replication-instance-id> \
--endpoint-arn arn:aws:dms:us-east-1:<account-id>:endpoint:<endpoint-id> \
--region us-east-1
Re-run the Prowler check:
prowler aws --checks dms_endpoint_mongodb_authentication_enabled
Additional Resources
- Using MongoDB as a Source for AWS DMS
- Using Secrets Manager for DMS Endpoints
- MongoDB Authentication Mechanisms
- AWS DMS Endpoint Settings Reference
Notes
-
TLS/SSL recommended: In addition to authentication, enable SSL/TLS encryption (
SslMode: require) for defense in depth. This encrypts data in transit between DMS and MongoDB. -
Secrets Manager is preferred: Storing credentials directly in DMS endpoints is less secure than using AWS Secrets Manager. Secrets Manager provides automatic rotation, audit logging, and centralized credential management.
-
Authentication mechanism versions: Use
scram_sha_1for MongoDB 3.x and later, ormongodb_crfor MongoDB 2.x. Thedefaultoption automatically selects based on MongoDB version. -
Auth source: The
AuthSourceparameter specifies which database contains the user credentials. This is typically "admin" but may differ based on your MongoDB configuration. -
Least privilege accounts: Create dedicated MongoDB users for DMS with only the permissions required for migration (read access for source endpoints). Avoid using administrative accounts.
-
Connection testing: After modifying an endpoint, always test the connection using the DMS console or
test-connectionAPI before starting migration tasks. -
Active migrations: If the endpoint is currently being used by an active migration task, you may need to stop and restart the task after modifying authentication settings.