Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · DMS

DMS.11: DMS MongoDB endpoints should have auth

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub DMS.11 check?

DMS.11 fails when a DMS endpoint for a MongoDB source has AuthType set to no. The control reads the AuthType field; the passing state uses an authentication mechanism — MONGODB-CR for MongoDB 2.x or SCRAM-SHA-1 for 3.x and later.

Why does DMS.11 matter?

An endpoint configured with AuthType=no connects to MongoDB without presenting a credential. MongoDB's history of unauthenticated, internet-exposed instances drove the 2017 mass-ransom campaigns that wiped tens of thousands of open databases. Requiring authentication on the DMS endpoint ensures the migration path itself is not the weak link reading from that database.

How do I fix DMS.11?

  1. Audit MongoDB endpoints and find any with AuthType=no.
  2. Choose the right mechanism for the MongoDB version — MONGODB-CR for 2.x, SCRAM-SHA-1 for 3.x+.
  3. Run modify-endpoint to set the auth type and supply the credentials.
  4. Re-test the endpoint connection and default new endpoints to authenticated access.

Remediation script · bash

# Attach a JWT authorizer to an open API route, then redeploy the stage to enforce it.
aws apigatewayv2 update-route --api-id a1b2c3d4e5 \
  --route-id r7h8j9 --authorization-type JWT --authorizer-id auth9z8y
aws apigatewayv2 create-deployment --api-id a1b2c3d4e5 --stage-name '$default'

# Disable the unauthenticated listener on an MSK cluster while keeping IAM auth.
ARN=arn:aws:kafka:us-east-1:111122223333:cluster/orders-stream-prod/abc123
VERSION=$(aws kafka describe-cluster-v2 --cluster-arn $ARN \
  --query 'ClusterInfo.CurrentVersion' --output text)
aws kafka update-security --cluster-arn $ARN --current-version $VERSION \
  --client-authentication '{"Sasl":{"Iam":{"Enabled":true}},"Unauthenticated":{"Enabled":false}}'

# Once clients send the new credential, remove the AppSync API key to clear the finding.
aws appsync delete-api-key --api-id abcd1234efgh5678ijkl --id da2-examplekeyid12345

Full walkthrough (console steps, edge cases and verification) in the lesson Require authentication on data and API services.

Full lesson Require authentication on data and API services Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for DMS controls ↗ Check your own account for DMS.11 →
Part of the learning path Lock down access

More DMS controls

  • DMS.1 A DMS replication instance is publicly accessible
  • DMS.6 DMS instances auto minor version upgrade
  • DMS.7 DMS target DB tasks should have logging
  • DMS.8 DMS source DB tasks should have logging
  • DMS.9 DMS endpoints should use SSL
  • DMS.10 DMS Neptune endpoints should have IAM auth
  • DMS.12 DMS Redis endpoints should have TLS
  • DMS.13 DMS replication instances should be Multi-AZ