AWS-DocumentDB-db-cluster-master-username-well-known-or-default

Severity: High

Description: This control ensures the DocumentDB Cluster use unique Master Usernames instead of defaults ("root", "awsuser", "admin", "rdsadmin"). Master user has extensive privileges on the database instance which includes creation on databases and modifications of tables. If not specified during the time of creation of the Instance, a default username is set for the Master username. These default usernames are easy to determine and can be targeted by attackers in attacks such as brute-force.

Remediation Steps:

Perform following to update DocumentDB master user name:

Step 1: Backup Data in cluster
1. Use a backup tool to create a backup of data in the DocumentDB Cluster.
2. Create a new Cluster using the same configuration but new master username.
3. Restore the data from old Instance to the new Instance.
4. Follow Generic guidelines to ensure dependent applications are connecting to new DocumentDB Cluster.
Step 2 : Update the server certificate
1. Login to the AWS Management Console at https://console.aws.amazon.com.
2. Navigate to DocumentDB console.
3. n the Navigation pane, choose Databases.
4. Click Create Database button.
5. Configure the setting similar to the old DocumentDB Cluster.
6. Under Settings -> Credential Setting, enter a unique alpha-numerical username for Master Username option.
7. Click Create Database button.
After required connection string modifications and security group updates, ensure all applications are successfully connecting and querying to the new DocumentDB Cluster
Now older DB Cluster can be deleted.

Important:

The Master username of an DocumentDB Cluster cannot be modified after the cluster is created.
Use of default usernames and passwords are common weak points in any system.

Reference: