Profile Applicability

  • Level 2

Description

Authentication mechanisms for MongoDB endpoints in AWS Database Migration Service (DMS) ensure that only authorized users can access the database during migration tasks. Enabling authentication mechanisms, such as SCRAM-SHA-1 or SCRAM-SHA-256, helps secure the connection and prevents unauthorized access to sensitive data.

Rationale

  • Enhanced Security: Ensures that only authenticated users can access the MongoDB database.

  • Risk Mitigation: Reduces the risk of unauthorized access and data breaches.

  • Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

  • Protects sensitive data by requiring valid credentials for access.

  • Reduces the risk of unauthorized access during migration tasks.

  • Enhances overall security posture.

Cons:

  • Requires proper configuration of authentication mechanisms on the MongoDB database.

  • May introduce complexity if credentials are not managed securely.

Default Value

By default, authentication mechanisms may not be enabled for MongoDB endpoints. They must be explicitly configured during endpoint creation or modification.

Pre-Requisite

IAM Permissions Required:

  • dms:DescribeEndpoints

  • dms:ModifyEndpoint

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Database Migration Service (DMS) > Endpoints.

  3. Select the MongoDB endpoint and review its configuration.

  4. Verify if an authentication mechanism, such as SCRAM-SHA-1 or SCRAM-SHA-256, is enabled.

Using AWS CLI:

  1. Describe the DMS endpoint:

    aws dms describe-endpoints --filters Name=endpoint-type,Values=source

  2. Check the AuthMechanism field in the output. Ensure it is set to SCRAM-SHA-1 or SCRAM-SHA-256.

Implementation Steps:

Using AWS Console:

  1. Navigate to Database Migration Service (DMS) > Endpoints.

  2. Select the MongoDB endpoint to update.

  3. Edit the endpoint configuration and set the Authentication Mechanism to SCRAM-SHA-1 or SCRAM-SHA-256.

  4. Save the changes.

Using AWS CLI:

  1. Modify the DMS endpoint to enable an authentication mechanism:

    aws dms modify-endpoint \
--endpoint-arn <endpoint-arn> \
--auth-mechanism SCRAM-SHA-256 \
--username <username> \
--password <password>

  1. Verify the updated configuration:

    aws dms describe-endpoints --filters Name=endpoint-type,Values=source

Backout Plan

Using AWS Console:

  1. If enabling authentication causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DMS, select the MongoDB endpoint, and go to the Modify Endpoint settings.

  3. Remove or disable the authentication mechanism by clearing the Authentication Mechanism field or using a different authentication method.

  4. Save the changes and verify that the endpoint is now working without the authentication configuration.

Using AWS CLI:

  1. To remove the authentication mechanism, run the following command:

    aws dms modify-endpoint --endpoint-arn <ENDPOINT_ARN> --mongodb-settings '{
  "AuthenticationMechanism": "NONE"
}'

  1. Verify that the authentication mechanism has been removed by running:

    aws dms describe-endpoints --endpoint-arn <ENDPOINT_ARN>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.