--- title: DMS endpoint MongoDB settings password exposed description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DMS endpoint MongoDB settings password exposed --- # DMS endpoint MongoDB settings password exposed {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-dms-endpoint-mongo-db-settings-password-exposed` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Secret Management #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dms-endpoint-mongodbsettings.html) ### Description{% #description %} Storing MongoDB passwords for AWS DMS endpoints in plaintext or as a parameter with a `Default` value exposes credentials in CloudFormation templates, source control, and template outputs. This increases the risk of compromise and unauthorized access. Verify the `AWS::DMS::Endpoint` resource's `Properties.MongoDbSettings.Password` is not a literal string value and is not a `Ref` to a `Parameters` entry that defines a `Default`. Instead, provide the secret via AWS Secrets Manager (CloudFormation dynamic reference) or as a parameter without a `Default` (and with `NoEcho: true`) so secrets are not embedded in the template. Resources missing a Secrets Manager reference or using parameter defaults will be flagged. Secure configuration examples: ```yaml # Use Secrets Manager dynamic reference MyDmsEndpoint: Type: AWS::DMS::Endpoint Properties: EndpointIdentifier: my-endpoint EngineName: mongodb MongoDbSettings: Username: myuser Password: '{{resolve:secretsmanager:my-secret-id:SecretString:password}}' ``` ```yaml # Use a parameter with NoEcho and no Default Parameters: DbPassword: Type: String NoEcho: true MyDmsEndpoint: Type: AWS::DMS::Endpoint Properties: EndpointIdentifier: my-endpoint EngineName: mongodb MongoDbSettings: Username: myuser Password: !Ref DbPassword ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Parameters: ParentMasterPassword: Description: 'Password' Type: String Default: '' ParentMasterUsername: Description: 'username' Type: String Default: 'username!' MasterMongoDBPassword: Description: 'Password' Type: String Default: '' Resources: NewAmpApp1: Type: AWS::DMS::Endpoint Properties: CertificateArn: String DatabaseName: String EndpointIdentifier: String EndpointType: String EngineName: String ExtraConnectionAttributes: String KafkaSettings: KafkaSettings KinesisSettings: KinesisSettings KmsKeyId: String MongoDbSettings: AuthMechanism: String AuthSource: String AuthType: String DatabaseName: String DocsToInvestigate: String ExtractDocId: String NestingLevel: String Password: !Ref MasterMongoDBPassword Port: 80 ServerName: String Username: String NeptuneSettings: NeptuneSettings Password: !Ref ParentMasterPassword Port: 80 S3Settings: S3Settings ServerName: String SslMode: String Tags: - Tag Username: String ``` ```yaml Parameters: ParentMasterPassword: Description: 'Password' Type: String MasterMongoDBPassword: Description: 'Password' Type: String ParentMasterUsername: Description: 'username' Type: String Default: 'username' Resources: NewAmpApp2: Type: AWS::DMS::Endpoint Properties: CertificateArn: String DatabaseName: String EndpointIdentifier: String EndpointType: String EngineName: String ExtraConnectionAttributes: String KafkaSettings: KafkaSettings KinesisSettings: KinesisSettings KmsKeyId: String MongoDbSettings: AuthMechanism: String AuthSource: String AuthType: String DatabaseName: String DocsToInvestigate: String ExtractDocId: String NestingLevel: String Password: !Ref MasterMongoDBPassword Port: 80 ServerName: String Username: String NeptuneSettings: NeptuneSettings Password: !Ref ParentMasterPassword Port: 80 S3Settings: S3Settings ServerName: String SslMode: String Tags: - Tag Username: String ``` ```yaml Resources: NewAmpApp3: Type: AWS::DMS::Endpoint Properties: CertificateArn: String DatabaseName: String EndpointIdentifier: String EndpointType: String EngineName: String ExtraConnectionAttributes: String KafkaSettings: KafkaSettings KinesisSettings: KinesisSettings KmsKeyId: String MongoDbSettings: AuthMechanism: String AuthSource: String AuthType: String DatabaseName: String DocsToInvestigate: String ExtractDocId: String NestingLevel: String Password: !Sub '{{resolve:secretsmanager:${MongoDBSecretManagerRotater}::password}}' Port: 80 ServerName: String Username: String NeptuneSettings: NeptuneSettings Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' Port: 80 S3Settings: S3Settings ServerName: String SslMode: String Tags: - Tag Username: String MyAmpAppSecretManagerRotater: Type: AWS::SecretsManager::Secret Properties: Description: 'This is my amp app instance secret' GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: 'password' PasswordLength: 16 ExcludeCharacters: '"@/\' MongoDBSecretManagerRotater: Type: AWS::SecretsManager::Secret Properties: Description: 'This is my MongoDBSecretManagerRotater instance secret' GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: 'password' PasswordLength: 16 ExcludeCharacters: '"@/\' ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Parameters: ParentMasterPassword: Description: 'Password' Type: String Default: '' ParentMasterUsername: Description: 'username' Type: String Default: 'username!' MasterMongoDBPassword: Description: 'Password' Type: String Default: 'as@3djdkDjskjs73!!' Resources: NewAmpApp4: Type: AWS::DMS::Endpoint Properties: CertificateArn: String DatabaseName: String EndpointIdentifier: String EndpointType: String EngineName: String ExtraConnectionAttributes: String KafkaSettings: KafkaSettings KinesisSettings: KinesisSettings KmsKeyId: String MongoDbSettings: AuthMechanism: String AuthSource: String AuthType: String DatabaseName: String DocsToInvestigate: String ExtractDocId: String NestingLevel: String Password: !Ref MasterMongoDBPassword Port: 80 ServerName: String Username: String NeptuneSettings: NeptuneSettings Password: !Ref ParentMasterPassword Port: 80 S3Settings: S3Settings ServerName: String SslMode: String Tags: - Tag Username: String ``` ```yaml Resources: NewAmpApp5: Type: AWS::DMS::Endpoint Properties: CertificateArn: String DatabaseName: String EndpointIdentifier: String EndpointType: String EngineName: String ExtraConnectionAttributes: String KafkaSettings: KafkaSettings KinesisSettings: KinesisSettings KmsKeyId: String MongoDbSettings: AuthMechanism: String AuthSource: String AuthType: String DatabaseName: String DocsToInvestigate: String ExtractDocId: String NestingLevel: String Password: 'as@3djdkDjskjs73!!' Port: 80 ServerName: String Username: String NeptuneSettings: NeptuneSettings Password: 'asDjskjs73!!' Port: 80 S3Settings: S3Settings ServerName: String SslMode: String Tags: - Tag Username: String ``` ```yaml Parameters: ParentMasterPassword: Description: 'Password' Type: String MasterMongoDBPassword: Description: 'Password' Type: String ParentMasterUsername: Description: 'username' Type: String Default: 'username' Resources: NewAmpApp6: Type: AWS::DMS::Endpoint Properties: CertificateArn: String DatabaseName: String EndpointIdentifier: String EndpointType: String EngineName: String ExtraConnectionAttributes: String KafkaSettings: KafkaSettings KinesisSettings: KinesisSettings KmsKeyId: String MongoDbSettings: AuthMechanism: String AuthSource: String AuthType: String DatabaseName: String DocsToInvestigate: String ExtractDocId: String NestingLevel: String Password: 'asDjskjs73!!' Port: 80 ServerName: String Username: String NeptuneSettings: NeptuneSettings Password: !Ref ParentMasterPassword Port: 80 S3Settings: S3Settings ServerName: String SslMode: String Tags: - Tag Username: String ```