Authentication Methods for Amazon DocumentDB

Security of database connections is one of the major issues when it comes to managing databases apart from writing and reading data from a database management system.

Ensuring that access to the database is properly managed to avoid unauthorized access and least privilege principles are adhered to is crucial.

In a previous article, I talked about the different authentication methods that exists for an Amazon RDS database.

This time, we shall be looking at the same topic but for a different database engine in AWS, which is the Amazon DocumentDB. But before we dive into that, let us define what Amazon DocumentDB is, and what it can be used for.

What is Amazon DocumentDB ?

Amazon DocumentDB is a fully managed database service designed for storing and managing JSON-like documents, similar to MongoDB [link here]. It makes it easy for developers to work with flexible, schema-less data structures while providing scalability, security, and high availability. Since AWS manages it, users don’t have to worry about maintenance, backups, or scaling—Amazon DocumentDB handles everything automatically. It’s ideal for fast document retrieval applications, such as content management systems, catalogs, and real-time analytics. Now that we understand what Amazon DocumentDB is, let us take a look at the authentication methods that exist on Amazon DocumentDB and the recommended option.

Password-Based Authentication method

Password-based authentication is one of the most widely used methods for securing access to databases, and Amazon DocumentDB (with MongoDB compatibility) implements it using the SCRAM (Salted Challenge Response Authentication Mechanism) protocol. This method ensures that users can securely authenticate to their DocumentDB clusters using a username and password. Below is a detailed explanation of how it works, its benefits, and best practices for implementation.

How Password-Based Authentication Works in DocumentDB

User Creation:

Database administrators create users within the DocumentDB cluster and assign them a username and password. These credentials are stored securely in the database.

SCRAM Authentication Protocol:

DocumentDB uses the SCRAM-SHA-1 or SCRAM-SHA-256 mechanism for password-based authentication, ensuring security against brute force, replay attacks, and credential sniffing. When a user is created or their password is updated, DocumentDB hashes the password using SHA-1 or SHA-256, combines it with a random salt, and stores the salted hash instead of the plaintext password. During authentication, the client and server engage in a challenge-response mechanism without transmitting the password over the network. The server sends a unique challenge (nonce) to the client, which then computes a response using the password, salt, and nonce before sending it back. The server verifies this response against the stored salted hash, granting authentication if they match.

Secure Communication:

Password-based authentication in DocumentDB is typically used over TLS (Transport Layer Security) encrypted connections, ensuring that credentials and data are protected during transmission.

Benefits of Password-Based Authentication with SCRAM

Strong Security:

• SCRAM ensures that passwords are never transmitted or stored in plaintext, reducing the risk of credential theft.
• The use of salted hashes makes it resistant to rainbow table attacks.
• The challenge-response mechanism prevents replay attacks.

Ease of Use:

• Password-based authentication is simple to implement and widely understood, making it accessible for developers and administrators.
• It integrates seamlessly with existing tools and applications that support MongoDB-compatible authentication.

Compatibility:

• Since DocumentDB is compatible with MongoDB, SCRAM authentication works with MongoDB drivers and clients, ensuring a smooth transition for users familiar with MongoDB.

Granular Access Control:

• DocumentDB allows you to create multiple users with different roles and permissions, enabling fine-grained access control to databases and collections.

Best Practices for Password-Based Authentication

1. Use Strong Passwords:
2. Enforce the use of complex, unique passwords for database users to minimize the risk of brute force attacks.
3. Enable TLS Encryption:
4. Always use TLS to encrypt connections between clients and the DocumentDB cluster, ensuring that credentials and data are protected in transit.
5. Rotate Passwords Regularly:
6. Implement a password rotation policy to periodically update database credentials and reduce the risk of compromised passwords.
7. Leverage IAM for Additional Security:
8. For applications running in AWS, consider using IAM Database Authentication in addition to password-based authentication for enhanced security and simplified credential management.
9. Monitor and Audit Access:
10. Use Amazon CloudWatch and AWS CloudTrail to monitor database access and detect any unusual activity.

Now that we have established how the password-based authentication works, with its benefits and best practices, let us look at the other authentication method which is the IAM authentication method.

IAM Database Authentication method

IAM Database Authentication is a powerful feature offered by Amazon DocumentDB that allows you to authenticate to your database clusters using AWS Identity and Access Management (IAM) users and roles. This method replaces traditional password-based authentication with short-lived, dynamically generated authentication tokens, enhancing security and simplifying credential management. Here’s a deeper dive into how it works and its benefits:

How IAM Database Authentication Works

1. IAM Role or User Configuration:
2. First, you create an IAM user or role with the necessary permissions to access the DocumentDB cluster. This IAM entity is granted the rds-db:connect permission, which allows it to generate a database authentication token.
3. Generating the Authentication Token:
4. Instead of using a static password, the IAM user or role generates an authentication token using the AWS SDK or CLI. This token is a cryptographically signed string that is valid for 15 minutes. The token includes details such as the IAM entity, the database user, and the expiration time.
5. Connecting to DocumentDB:
6. When connecting to the DocumentDB cluster, the application or client uses the authentication token in place of a password. The token is passed as the password parameter during the connection process. DocumentDB validates the token and grants access if it is valid and matches the IAM entity and database user.
7. Token Expiry and Renewal:
8. Since the token is valid for only 15 minutes, applications must generate a new token before the current one expires. This short-lived nature reduces the risk of token misuse and enhances security.

Benefits of IAM Database Authentication

Enhanced Security:

• Eliminates the need to store and manage static database passwords, reducing the risk of credential leaks.
• Tokens are short-lived and automatically expire, minimizing the window of opportunity for misuse.
• Leverages AWS IAM’s robust access control mechanisms, including multi-factor authentication (MFA) and fine-grained permissions.

Simplified Credential Management:

• Centralized management of access through IAM users and roles.
• No need to manually rotate database passwords, as tokens are dynamically generated.

Scalability:

• Ideal for applications with dynamic workloads or those running in serverless environments (e.g., AWS Lambda), where managing static credentials can be challenging.

Integration with AWS Ecosystem:

• Seamlessly integrates with other AWS services, such as AWS Secrets Manager, for secure credential storage and retrieval.
• Works well with IAM policies, enabling granular access control based on roles and permissions.

Use Cases for IAM Database Authentication

Serverless Applications:

Applications running on AWS Lambda can use IAM roles to generate tokens and connect to DocumentDB without hardcoding credentials.

Temporary Access:

Ideal for granting temporary access to developers or administrators without creating permanent database users.

Automated Workflows:

CI/CD pipelines or automated scripts can use IAM roles to securely access DocumentDB clusters during deployment or maintenance tasks.

Multi-Tenant Applications:

Applications serving multiple tenants can use IAM roles to isolate access and ensure secure, role-based authentication.

Conclusion

Both authentication methods have their pros and cons, which is already established in the article, but for security and passwordless authentication that does not involve managing passwords and rotating passwords from time to time, the IAM authentication method might be the best. It is also possible to attach the AWS Secrets Manager [link] service to the password-based authentication to manage password rotation.