For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-dms-endpoint-mongo-db-settings-password-exposed.md. A documentation index is available at /llms.txt.

DMS endpoint MongoDB settings password exposed

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-dms-endpoint-mongo-db-settings-password-exposed

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Secret Management

Learn More

Description

Storing MongoDB passwords for AWS DMS endpoints in plaintext or as a parameter with a Default value exposes credentials in CloudFormation templates, source control, and template outputs. This increases the risk of compromise and unauthorized access.

Verify the AWS::DMS::Endpoint resource’s Properties.MongoDbSettings.Password is not a literal string value and is not a Ref to a Parameters entry that defines a Default.

Instead, provide the secret via AWS Secrets Manager (CloudFormation dynamic reference) or as a parameter without a Default (and with NoEcho: true) so secrets are not embedded in the template. Resources missing a Secrets Manager reference or using parameter defaults will be flagged.

Secure configuration examples:

# Use Secrets Manager dynamic reference
MyDmsEndpoint:
  Type: AWS::DMS::Endpoint
  Properties:
    EndpointIdentifier: my-endpoint
    EngineName: mongodb
    MongoDbSettings:
      Username: myuser
      Password: '{{resolve:secretsmanager:my-secret-id:SecretString:password}}'

# Use a parameter with NoEcho and no Default
Parameters:
  DbPassword:
    Type: String
    NoEcho: true

MyDmsEndpoint:
  Type: AWS::DMS::Endpoint
  Properties:
    EndpointIdentifier: my-endpoint
    EngineName: mongodb
    MongoDbSettings:
      Username: myuser
      Password: !Ref DbPassword

Compliant Code Examples

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
  MasterMongoDBPassword:
    Description: 'Password'
    Type: String
    Default: ''
Resources:
  NewAmpApp1:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: !Ref MasterMongoDBPassword
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  MasterMongoDBPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  NewAmpApp2:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: !Ref MasterMongoDBPassword
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Resources:
    NewAmpApp3:
      Type: AWS::DMS::Endpoint
      Properties:
        CertificateArn: String
        DatabaseName: String
        EndpointIdentifier: String
        EndpointType: String
        EngineName: String
        ExtraConnectionAttributes: String
        KafkaSettings:
          KafkaSettings
        KinesisSettings:
          KinesisSettings
        KmsKeyId: String
        MongoDbSettings:
            AuthMechanism: String
            AuthSource: String
            AuthType: String
            DatabaseName: String
            DocsToInvestigate: String
            ExtractDocId: String
            NestingLevel: String
            Password:  !Sub '{{resolve:secretsmanager:${MongoDBSecretManagerRotater}::password}}'
            Port: 80
            ServerName: String
            Username: String
        NeptuneSettings:
          NeptuneSettings
        Password:  !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
        Port: 80
        S3Settings:
          S3Settings
        ServerName: String
        SslMode: String
        Tags:
          - Tag
        Username: String
    MyAmpAppSecretManagerRotater:
      Type: AWS::SecretsManager::Secret
      Properties:
        Description: 'This is my amp app instance secret'
        GenerateSecretString:
          SecretStringTemplate: '{"username": "admin"}'
          GenerateStringKey: 'password'
          PasswordLength: 16
          ExcludeCharacters: '"@/\'
    MongoDBSecretManagerRotater:
      Type: AWS::SecretsManager::Secret
      Properties:
        Description: 'This is my MongoDBSecretManagerRotater instance secret'
        GenerateSecretString:
          SecretStringTemplate: '{"username": "admin"}'
          GenerateStringKey: 'password'
          PasswordLength: 16
          ExcludeCharacters: '"@/\'

Non-Compliant Code Examples

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
  MasterMongoDBPassword:
    Description: 'Password'
    Type: String
    Default: 'as@3djdkDjskjs73!!'
Resources:
  NewAmpApp4:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: !Ref MasterMongoDBPassword
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Resources:
  NewAmpApp5:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: 'as@3djdkDjskjs73!!'
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: 'asDjskjs73!!'
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  MasterMongoDBPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  NewAmpApp6:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: 'asDjskjs73!!'
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String