Akber A Choudhry

Escaping SCRAM-SHA-1 with AWS IAM Auth

Akber A Choudhry -

Amazon DocumentDB (with MongoDB compatibility) seems "stuck" on SCRAM-SHA-1—is a frequent point of frustration for developers used to standard MongoDB. While MongoDB moved to SCRAM-SHA-256 as the default in version 4.0 (released in 2018), DocumentDB has maintained SHA-1 as its primary password-based mechanism for a few specific reasons.

1. The Root Cause: Why it's still SCRAM-SHA-1

The "problem" is primarily a mismatch between the MongoDB API compatibility and the underlying engine implementation.

  • API vs. Engine: Amazon DocumentDB is not a fork of MongoDB; it is an AWS-built engine that emulates the MongoDB API. While it supports the 4.0 and 5.0 APIs, the internal authentication layer for "User & Password" accounts was built on the SHA-1 standard and has not been updated to support SHA-256 for standard database users.
  • Backwards Compatibility: By staying on SCRAM-SHA-1, AWS ensures that legacy drivers and older application codebases can connect without modification.
  • The "IAM First" Strategy: AWS has prioritized IAM Authentication (MONGODB-AWS) as the secure, modern alternative. From AWS’s perspective, if you want "enhanced security," they want you to move away from passwords entirely and use IAM roles and policies.

2. The Practical Problem: Connection Failures

Most modern MongoDB drivers (Node.js 4.x+, Python 4.x+, etc.) default to SCRAM-SHA-256 because they assume they are talking to a standard MongoDB 4.0+ server. When they try this with DocumentDB, you get the infamous error:

MongoServerError: Unsupported mechanism [ -301 ]

To fix this, you must explicitly tell your driver to "downgrade" the mechanism in your connection string:

mongodb://username:password@cluster-endpoint:27017/?authSource=admin&authMechanism=SCRAM-SHA-1

3. Is SCRAM-SHA-1 a Security Risk?

In theory, SHA-1 is considered cryptographically "broken" regarding collision resistance. However, in the context of DocumentDB, the risk is significantly mitigated:

  • TLS is Required: AWS DocumentDB strongly recommends (and by default requires) TLS/SSL encryption for all connections.2 This means the authentication handshake happens inside an encrypted tunnel, making it virtually impossible for an attacker to "sniff" the SHA-1 exchange.
  • VPC Isolation: Unlike many MongoDB Atlas instances, DocumentDB lives inside your private VPC.3 It is not accessible from the public internet by default, providing a massive layer of "security by obscurity" and network isolation.

4. Comparison of Mechanisms in DocumentDB

MechanismSecurity LevelRecommended Use
SCRAM-SHA-1ModerateStandard user/pass auth; requires manual driver config.
MONGODB-AWSHighRecommended. Uses IAM roles; no passwords stored in the DB.
SCRAM-SHA-256N/AUnsupported for standard DB users in most regions/versions.

Recommendation

If you are strictly required by compliance (like SOC2 or HIPAA) to avoid SHA-1, or if you want the best security posture, you should switch to IAM Authentication. This bypasses the SCRAM issue entirely by using AWS's native identity system.

5. Switching to MONGODB-AWS Authentication

Switching to IAM Authentication (MONGODB-AWS) is the most secure way to connect to DocumentDB. It removes the need for hardcoded passwords and avoids the limitations of the SCRAM-SHA-1 mechanism by leveraging AWS Identity and Access Management.

A. Prerequisites: Cluster and Database Setup

Before changing your code, you must perform two administrative steps:

  1. Enable IAM Auth on Cluster: Ensure your DocumentDB cluster has IAM authentication enabled (this can be toggled in the AWS Console under the "Connectivity & security" tab).

2. Create the Database User: You must map an IAM ARN (User or Role) to a database user inside the DocumentDB shell using the $external source:JavaScript

db.getSiblingDB("$external").createUser(
    {
        user: "arn:aws:iam::123456789012:user/your-iam-user",
        roles: [ { role: "readWrite", db: "your-database" } ]
    }
);

OR via role

use $external;
db.createUser(
  {
    user: "arn:aws:iam::123456789012:role/docdb-iam-role",
    mechanisms: ["MONGODB-AWS"],
    roles: [ { role: "readWrite", db: "your_database" } ]
  }
);

B. Driver Connection String Format

  • Version: IAM authentication is only supported on Amazon DocumentDB 5.0 or later.
  • Mechanism: Your driver must use the MONGODB-AWS authentication mechanism.
  • TLS: TLS must be enabled for the connection.
  • Connection String:mongodb://<cluster-endpoint>:27017/?authMechanism=MONGODB-AWS&authSource=%24external&tls=true&tlsCAFile=global-bundle.pem

The core change is the authMechanism and authSource. The connection string generally follows this pattern:

mongodb://<ACCESS_KEY>:<SECRET_KEY>@<CLUSTER_URL>:27017/?authMechanism=MONGODB-AWS&authSource=%24external&tls=true

Note: %24external is the URL-encoded version of $external.

C. Other Benefits

  • No Password Rotation: You don't have to manage or rotate database passwords in Secrets Manager; IAM handles the temporary token generation.
  • Security Groups + IAM: You gain "Double-Wall" security—the connection must be allowed by the VPC Security Group and authorized by an IAM Policy.
  • Centralized Logging: Database access attempts are logged via AWS CloudTrail.


FeaturePassword AuthenticationIAM Authentication
MechanismSCRAM-SHA-1MONGODB-AWS
Auth Sourceadmin (usually)$external
Credential RotationManual or Secrets ManagerAutomatic (via AWS STS)
SecurityStatic passwordShort-lived tokens

D. Important Note on Performance

Because IAM authentication requires a call to the AWS STS (Security Token Service) to verify the identity during the handshake, the initial connection may be slightly slower than a standard password login. It is highly recommended to use connection pooling to keep connections alive and avoid the overhead of re-authenticating on every request.

To allow an application (like an AWS Lambda function or an EC2 instance) to connect to Amazon DocumentDB using IAM Authentication, you must grant the IAM identity (User or Role) the rds-db:connect permission.

Even though the service is DocumentDB, it leverages the Amazon RDS control plane for its IAM authentication mechanism, so the policy uses the rds-db namespace.

E. The IAM Policy (JSON)

Attach this policy to the IAM Role or User that your application is using.

JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDocDBConnection",
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:REGION:ACCOUNT_ID:dbuser:CLUSTER_RESOURCE_ID/DB_USER_NAME"
            ]
        }
    ]
}

Policy Variables:

  • REGION: The AWS region (e.g., us-east-1).
  • ACCOUNT_ID: Your 12-digit AWS account number.
  • CLUSTER_RESOURCE_ID: This is not the cluster name. It is a unique identifier starting with cluster- (e.g., cluster-ABCD1234EFGH5678). You can find this in the AWS Console under the "Configuration" tab for your cluster or via the CLI:aws docdb describe-db-clusters --db-cluster-identifier <your-cluster-name> --query 'DBClusters[0].DbClusterResourceId'
  • DB_USER_NAME: The name of the user created inside DocumentDB. For IAM authentication, this is typically the full ARN of the IAM user or role.

6. See Also

This video provides a visual overview of how IAM roles integrate with DocumentDB and the security benefits of using passwordless authentication.