DMS endpoints for MongoDB should have authentication enabled
Description
This control checks if an AWS DMS endpoint configured for MongoDB has an authentication mechanism enabled. The control will fail if no authentication type is set for the endpoint. AWS Database Migration Service supports two authentication methods for MongoDB: MONGODB-CR (used for MongoDB version 2.x) and SCRAM-SHA-1 (used for MongoDB version 3.x or later). These methods are designed to authenticate and encrypt MongoDB passwords when users access the databases. Proper authentication on AWS DMS endpoints ensures that only authorized users can access and modify data during database migration. Without it, unauthorized users could gain access to sensitive data, potentially leading to data breaches, data loss, or other security incidents.
Remediation
Enable authentication for your DMS endpoints that connect to MongoDB databases to ensure secure access control.
Steps
- Navigate to the AWS DMS console
- Go to the Endpoints section
- Select the MongoDB endpoint that needs authentication
- Modify the endpoint configuration
- In the 'Authentication' section, provide username and password
- Set the authentication type to 'MONGODB-CR' for MongoDB 2.x or 'SCRAM-SHA-1' for MongoDB 3.x+
- Configure the authentication mechanism based on your MongoDB version
- Save the configuration changes
- Verify that authentication is now enabled for the MongoDB endpoint