Amazon DocumentDB
Amazon DocumentDB (with MongoDB compatibility) is a fully managed, serverless document database service developed by Amazon Web Services (AWS) that supports MongoDB APIs and drivers, enabling the storage, querying, and scaling of JSON data in a cloud-native environment without requiring manual infrastructure management.[1][2] Designed for high-performance applications handling semi-structured data, Amazon DocumentDB separates compute and storage to allow independent scaling, with automatic storage expansion up to 128 TiB in 10 GB increments and the ability to add up to 15 read replicas for enhanced throughput, achieving millions of reads and writes per second with single-digit millisecond latency.[2][3] Its architecture features a shared cluster volume that replicates data six ways across three Availability Zones for 99.999999999% durability, while the primary instance handles read/write operations and replicas support read scaling with minimal lag under 100 ms.[3] This service ensures high availability through automated failover, point-in-time recovery for up to 35 days, and encryption at rest using AWS Key Management Service (KMS), making it suitable for mission-critical workloads in sectors like healthcare and finance.[2][1] Key benefits include up to 90% cost savings compared to peak provisioning through on-demand scaling and optimized instance types, alongside compatibility that facilitates seamless migration from MongoDB without code changes or downtime.[1] Common use cases encompass content management systems, user profile storage, personalized recommendations, and AI-driven applications requiring low-latency global access via Global Clusters.[1] While it supports a wide range of MongoDB operations for querying and indexing documents, it operates within AWS Virtual Private Cloud (VPC) for secure connectivity and integrates with tools like Amazon CloudWatch for monitoring.[2][3]Overview
Description
Amazon DocumentDB is a fully managed, MongoDB-compatible document database service that offers serverless, provisioned instance-based, and elastic cluster configurations for storing, querying, and scaling JSON-like documents on Amazon Web Services (AWS).[1] It enables developers to handle semi-structured data with flexible schemas, making it suitable for applications such as content management systems, user profiles, product catalogs, and mobile applications.[4][5] The service offers key benefits including automatic scaling of compute and storage resources to meet application demands, high availability through data replication across three Availability Zones, support for up to 128 TiB of storage per cluster, and the capacity to handle millions of reads and writes per second.[3][6][5] These features provide durability and performance without requiring manual infrastructure management.[2] Introduced on January 9, 2019, Amazon DocumentDB serves as AWS's proprietary NoSQL document database solution, offering compatibility with the MongoDB API to facilitate adoption for existing MongoDB workloads.[7]History
Amazon DocumentDB was launched by Amazon Web Services on January 9, 2019, as a fully managed document database service compatible with MongoDB 3.6, designed to provide scalable JSON document storage with high performance and availability.[7][8] On November 9, 2020, Amazon DocumentDB introduced version 4.0, enhancing compatibility with MongoDB 4.0 and adding features such as improved aggregation pipelines and sharding support to better handle complex queries and larger datasets.[8][9] In November 2022, AWS announced elastic clusters for Amazon DocumentDB, enabling horizontal scaling across multiple shards to support workloads exceeding 128 TiB of storage per cluster, marking a shift toward greater scalability for distributed applications.[10] Version 5.0 was released on March 1, 2023, bringing compatibility with MongoDB 5.0, including support for client-side field-level encryption and doubling the maximum storage capacity to 128 TiB for instance-based clusters and elastic clusters.[8][11][9] Throughout 2023, additional enhancements included the introduction of document compression in July, which uses LZ4 algorithms to reduce storage costs for large collections, and vector search capabilities in late November, allowing approximate nearest neighbor queries with HNSW and IVFFLAT indexes for AI and machine learning workloads.[12][13][14] In 2025, Amazon DocumentDB advanced further with the availability of serverless configurations on July 31, enabling automatic scaling in fine-grained increments without provisioning instances, followed by AWS's announcement on August 24 of joining the open-source DocumentDB project under the Linux Foundation to promote interoperability and community-driven development.[15][16] Later that year, on October 22, support for Graviton4-based R8G instances was added, delivering improved price-performance for compute-intensive workloads.[12] On October 28, a new query planner (version 2.0) was released, optimizing complex queries with advanced cost-based planning for up to 10x performance improvements in aggregation and join operations.[12][17][18] On November 11, 2025, Amazon DocumentDB released version 8.0, achieving full wire protocol compatibility with MongoDB 8.0, introducing query planner version 3 for enhanced aggregation performance, Zstandard compression offering up to 5x better compression ratios than LZ4, and improvements to vector search including 30x faster index builds.[12] Standard support for version 3.6 is scheduled to end on March 30, 2026, after which extended support will be available for an additional fee to maintain security patches and compatibility.[6][19] Over its evolution, Amazon DocumentDB has transitioned from provisioned instance-based clusters to elastic and serverless options, emphasizing enhancements in performance, scalability through sharding and auto-scaling, and interoperability via open-source contributions.[20]Architecture
Core Components
An Amazon DocumentDB cluster is composed of a single primary instance that manages all write operations, up to 15 read replica instances to offload and distribute read traffic, and a shared storage volume that holds the persistent data for the entire cluster.[3] The primary instance serves as the entry point for writes, while replicas provide scalable read capacity without duplicating data storage.[21] Replicas can be distributed across multiple Availability Zones to support high availability, with replication details covered in the storage and replication architecture.[22] Instance classes in Amazon DocumentDB include memory-optimized options, such as those in the db.r5, db.r6g, and db.r8g families, which deliver high performance for memory-intensive applications and offer up to 43% cost savings compared to equivalent instances in other popular document databases.[1] The storage can be configured as standard or I/O-optimized; the I/O-optimized configuration provides up to 40% cost savings for workloads where I/O operations account for more than 25% of total database expenses, by reducing I/O charges through optimized storage handling.[21] The db.r8g instances, powered by AWS Graviton4 processors, achieve up to 30% better performance than previous Graviton-based generations like db.r6g, enabling efficient processing of demanding queries.[23] The storage volume in an Amazon DocumentDB cluster is decoupled from compute resources, permitting independent scaling of storage capacity without affecting instance performance. This volume automatically expands in 10 GB increments as data grows, reaching a maximum of 128 TiB, and users are billed only for the actual storage consumed rather than provisioned capacity.[3] Such separation enhances flexibility for applications with varying data growth patterns. Amazon DocumentDB clusters are deployed within an Amazon Virtual Private Cloud (VPC) to ensure secure, isolated networking environments with customizable subnets and IP addressing.[24] Each cluster includes a writer endpoint (also known as the cluster endpoint) that directs connections to the primary instance for both reads and writes, supporting automatic failover, and a reader endpoint that load-balances read-only traffic across available replicas to optimize performance.[25]Storage and Replication
Amazon DocumentDB employs a shared storage architecture where data is stored on a cluster volume, a virtual, distributed, and fault-tolerant storage layer that automatically scales from 10 GB to 128 TiB in 10 GB increments.[3] This volume replicates data six ways across three Availability Zones, with two copies per zone, to ensure high durability and availability.[26] The system achieves 99.999999999% durability by leveraging this multi-AZ replication, protecting against the failure of two Availability Zones without data loss.[3] In the replication process, the primary instance handles all write operations and logs changes directly to the cluster volume, while read replica instances asynchronously pull these updates from the shared storage to maintain eventual consistency, typically with a replication lag of less than 100 ms.[3] This pull-based model enables up to 15 replicas per cluster for read scaling, as all instances access the same underlying storage without the need for instance-to-instance data copying.[22] Replicas can be distributed across Availability Zones to balance load and enhance fault tolerance. For high availability, Amazon DocumentDB automatically detects primary instance failures and promotes the healthiest replica to primary in under 30 seconds, minimizing downtime for read and write operations.[27] The cluster endpoint seamlessly redirects traffic to the new primary, and the former primary, once recovered, rejoins as a replica.[22] Backups in Amazon DocumentDB are automated and continuous, capturing transaction logs and storing them durably in Amazon S3, with a configurable retention period of up to 35 days.[2] This enables point-in-time recovery to any second within the retention period, excluding the last five minutes, allowing restoration to a specific state without full cluster recreation.[2]Key Features
Scalability and Performance
Amazon DocumentDB provides flexible scaling options to handle varying workloads, supporting both instance-based and elastic cluster architectures. In instance-based clusters, users can scale vertically by resizing instances to larger types for increased compute and memory capacity, or horizontally by adding up to 15 read replicas to distribute read traffic and enhance throughput.[28] Elastic clusters, on the other hand, automatically scale compute and storage based on demand through sharding, enabling workloads to reach millions of reads and writes per second with petabyte-scale storage.[29][30] Performance is optimized through serverless auto-scaling, which dynamically adjusts capacity to match application needs, offering up to 90% cost savings compared to provisioning for peak loads.[21] In October 2025, Amazon DocumentDB introduced a new query planner (version 2.0), which delivers up to 10x performance improvements and greater stability for complex queries.[17][31] Global clusters facilitate multi-region replication, providing low-latency reads across AWS Regions and enabling disaster recovery with recovery time objectives (RTO) typically under one minute.[32][33] For query efficiency, Amazon DocumentDB supports parallel index builds to accelerate index creation without downtime and provides index bloat metrics via Amazon CloudWatch to monitor and mitigate storage inefficiencies.[12][34]Query and Indexing Capabilities
Amazon DocumentDB provides robust query capabilities compatible with MongoDB's aggregation framework, enabling complex data processing and analysis. It supports the full MongoDB aggregation pipeline, including core stages such as$group for grouping documents and computing aggregate values, and $project for reshaping documents by including, excluding, or transforming fields.[35] This allows users to perform multi-stage operations like filtering, sorting, and joining data within a single query. Additionally, date manipulation operators like $dateAdd and $dateSubtract are fully supported, facilitating time-based computations such as adding or subtracting intervals from date fields in aggregation expressions.[35]
In July 2025, Amazon DocumentDB introduced the $regexFindAll aggregation operator, which applies a regular expression to a string and returns an array of all non-overlapping matches, enhancing pattern-matching capabilities for text processing in pipelines.[12] For example, to extract all email addresses from a text field, one could use { $regexFindAll: { input: "$description", regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/ } }. This operator, along with other string functions like $trim and $replaceAll, supports advanced text manipulation without requiring external processing.[12]
Indexing in Amazon DocumentDB optimizes query performance across various data types and use cases. It supports compound indexes, which combine multiple fields into a single index structure to efficiently handle multi-field queries; TTL (Time-To-Live) indexes, which automatically expire and delete documents after a specified duration; and partial indexes, which index only documents matching a filter expression to reduce index size and improve selectivity for targeted queries.[34][36] Parallel index builds, available since June 2024, accelerate the creation of indexes on large collections by distributing the workload across multiple workers, potentially reducing build times by up to 14 times compared to single-threaded builds on compatible instance types.[37]
For AI and machine learning applications, Amazon DocumentDB introduced vector search in November 2023, allowing storage, indexing, and similarity searches on high-dimensional vectors using approximate nearest neighbor algorithms.[38] Users can create vector indexes on embedding fields and query them with operators like $vectorSearch to retrieve semantically similar documents, supporting up to millions of vectors per collection.
Advanced features further enhance efficiency and flexibility. Document compression, introduced in version 5.0, applies LZ4 compression at the collection level to reduce storage and I/O costs, compressing documents larger than 2 KB by up to seven times while maintaining query compatibility.[39] Starting in October 2025, version 5.0 also supports collection names up to 255 characters, accommodating longer namespaces for better organization in complex schemas.[12]
In November 2025, Amazon DocumentDB introduced engine version 8.0 with query planner version 3.0, offering up to 2x overall performance improvement over planner v2.0. This version supports 21 aggregation stages, including new ones such as $replaceWith, $vectorSearch, $merge, $set, $unset, and $bucket, along with additional operators like $pow, $rand, and various date functions.[40]
While versatile, Amazon DocumentDB has limitations in elastic clusters, where certain MongoDB sharding features, such as multi-document transactions spanning multiple shards and some shard management commands like $shardedCollections, are not supported to ensure scalability and consistency.[29][41] Auto-scaling in elastic clusters can handle varying query loads by dynamically adjusting shard capacity.
Compatibility
MongoDB API Support
Amazon DocumentDB (with MongoDB compatibility) is designed to be compatible with the MongoDB 3.6, 4.0, 5.0, and 8.0 APIs, operations, data types, and drivers, enabling users to leverage existing MongoDB applications with minimal or no code changes.[9] This compatibility extends to the MongoDB wire protocol, which allows seamless integration by emulating server responses that MongoDB drivers and tools expect.[21] As a result, developers can reuse their application code, including connections via standard MongoDB drivers for these versions, without requiring modifications to connect to DocumentDB clusters.[35] Support for MongoDB 8.0 compatibility was introduced on November 14, 2025, adding enhancements such as up to 7x improved query performance, up to 5x better compression, and new aggregation operators like replaceWith and vectorSearch.[42] Key supported features include querying and aggregating data using operations such asfind, aggregate, and distinct; updating and inserting documents with commands like update, insert, and findAndModify; and managing indexes and collections through APIs like createIndexes, listIndexes, dropIndexes, createCollection, and renameCollection.[35] Client-side field-level encryption, which enables in-application encryption of sensitive data before transmission to the database, was introduced in the 5.0 compatibility version to support compliance with data protection regulations.[11] These features align closely with MongoDB's aggregation pipeline, including operators like $group, $match, and $sort, facilitating advanced data processing within DocumentDB.[35]
DocumentDB includes unique AWS-specific extensions integrated into the MongoDB APIs, such as encryption at rest using AWS Key Management Service (KMS) for databases, backups, snapshots, and replicas, which enhances security without altering standard MongoDB workflows.[21] Engine versions in DocumentDB align with MongoDB releases, providing feature parity for querying, transactions (ACID support in 4.0+), and change streams (with 7-day retention in 4.0+).[9] For older versions, extended support for MongoDB 3.6 compatibility is available until March 30, 2026, after which users can opt for paid extended support to continue running clusters, ensuring gradual transitions.[6][19]
Migration Considerations
Migrating data and applications to Amazon DocumentDB from other databases, particularly self-managed MongoDB instances, involves several established paths to ensure minimal disruption. One common approach is using MongoDB's native tools, such asmongodump for exporting data from the source and mongorestore for importing it into DocumentDB clusters. These tools support offline migrations and can handle parallel collections for efficiency, making them suitable for smaller datasets or initial testing. For larger-scale or online migrations with ongoing replication, the AWS Database Migration Service (DMS) is recommended, as it facilitates schema mapping, full data loads, and change data capture (CDC) from MongoDB sources in replica set mode to DocumentDB targets. DMS handles data transfer across heterogeneous environments while supporting JSON-based configurations for tasks like parallel apply threads to optimize performance.[43][44]
Key challenges in migration arise from differences in architecture and supported features between MongoDB and DocumentDB. For instance, DocumentDB does not support MongoDB's sharding mechanism, where data is distributed across shards using shard keys; instead, it relies on a shared cluster storage volume for horizontal scaling, requiring applications dependent on sharding to be refactored for data distribution logic. Additionally, DocumentDB instance-based clusters have AWS-specific limits, such as a maximum of 16 instances per cluster (one primary and up to 15 replicas), which may necessitate adjustments if the source MongoDB setup exceeds this for high availability or read scaling. These limitations can impact workloads with extreme partitioning needs, potentially requiring a redesign to leverage DocumentDB's elastic clusters for greater scalability.[2][45][22]
To address these hurdles, best practices emphasize thorough compatibility testing and version management. Developers should validate application drivers—those compatible with MongoDB 3.6, 4.0, 5.0, or 8.0 APIs—against DocumentDB using representative workloads to identify any behavioral differences in queries or connections. For version upgrades, such as moving from MongoDB 3.6 compatibility to 5.0, migrations often involve creating a new DocumentDB cluster at the target version and transferring data via DMS or dump/restore tools, as direct in-place upgrades from older versions require careful planning to avoid downtime. DocumentDB supports in-place major version upgrades from 3.6 or 4.0 to 5.0, preserving endpoints, storage, and tags while enabling seamless transitions for existing clusters without data movement. Upgrades to 8.0 compatibility require creating a new cluster and migrating data, as in-place major version upgrades are not supported.[43][46][20] The AWS Schema Conversion Tool (SCT) can assist with minor schema adaptations during DMS tasks, particularly for mapping collections and ensuring compatibility in hybrid migrations. Tools like the Amazon DocumentDB Compatibility Tool further aid by analyzing source logs or code to flag potential issues before migration.[47]
Deployment and Management
Cluster Setup
Amazon DocumentDB clusters can be deployed using the AWS Management Console, AWS Command Line Interface (CLI), or AWS Software Development Kits (SDKs), allowing users to provision instance-based or elastic cluster types tailored to workload needs.[48] For instance-based clusters, the process begins by signing into the AWS Management Console, navigating to the Amazon DocumentDB dashboard, and selecting "Create" under Clusters, where users specify a unique cluster identifier, engine version such as 5.0.0, instance class like db.r5.large, and the number of instances (one primary writer and up to 15 replicas). Engine version 8.0, released on November 11, 2025, is also available and offers up to 7x query performance improvements and 5x better compression, but must be explicitly specified.[9][42] Elastic clusters, which support sharding up to 32 shards for distributed workloads, follow a similar console workflow but require explicit selection of the elastic type during creation and setup of IAM permissions via the AmazonDocDBElasticFullAccess policy.[49] Network configuration is essential, involving selection of a Virtual Private Cloud (VPC), a subnet group spanning at least two Availability Zones, and security groups to control inbound traffic, typically on port 27017.[48] Configuration options during setup include assigning a custom DB cluster parameter group to tune settings like backup retention and maintenance windows, with the engine version fixed post-creation (options: 5.0.0 default, 4.0.0, 3.6.0, or 8.0) and no explicit auto-minor versioning toggle, though AWS handles minor updates within major versions.[50][9] Backups are configured with a retention period of 1-35 days (default: 1 day) and an automated preferred backup window, while maintenance windows default to automatic scheduling to minimize disruption.[50] Authentication requires setting a master username and password, with encryption enabled by default using the AWS-managed key.[48] Using the AWS CLI, deployment involves commands likeaws docdb create-db-cluster to define the cluster identifier, engine, version, and credentials, followed by aws docdb create-db-instance for the primary instance.[48]
After deployment, initial operations involve connecting to the cluster endpoint using MongoDB-compatible drivers, such as the mongo shell via AWS CloudShell, where users authenticate with the master credentials.[51] Databases are not created explicitly; the default database suffices, and collections form upon data insertion, for example, via db.collection.insertOne({"key": "value"}) to add documents.[51]
Amazon DocumentDB is available in multiple AWS Regions worldwide, enabling regional deployments for low-latency access, and supports global clusters for multi-region replication across up to eleven Regions (one primary and ten secondaries), created by initiating a primary cluster and adding secondary Regions via console actions or CLI.[52][53] Supported instance classes for global clusters include db.r5 and db.r6g families.[52]
Monitoring and Maintenance
Amazon DocumentDB integrates with Amazon CloudWatch to provide comprehensive monitoring of cluster and instance performance through various metrics. Key metrics include CPUUtilization, which measures the percentage of CPU capacity used by an instance over a specified period, and AvailableMVCCIds, a counter indicating the number of remaining write operations available before the cluster enters read-only mode due to multi-version concurrency control constraints.[54] Additionally, LongestRunningGCProcess, which tracks the duration in seconds of the longest active garbage collection process and updates every minute, was introduced on July 29, 2025, to help assess cluster health related to garbage collection efficiency.[54][12] These metrics can be viewed and analyzed using the Amazon DocumentDB console's Monitoring tab, the CloudWatch console, AWS CLI, or CloudWatch API, allowing users to set alarms for thresholds such as low AvailableMVCCIds to prevent operational disruptions.[54] Query logging in Amazon DocumentDB is facilitated through CloudWatch Logs, where operations like slow queries or profiling data can be enabled and streamed for analysis.[55] Once logged, users can employ CloudWatch Logs Insights to query, monitor, and archive this data, enabling detailed examination of query patterns and performance bottlenecks without manual log management.[56] Maintenance activities in Amazon DocumentDB include automated patching of the database engine, which occurs during predefined maintenance windows to apply security updates and improvements with minimal disruption.[57] If no action is taken, required patches are automatically applied in the next scheduled window, though users can defer optional ones.[57] For proactive upkeep, manual instance reboots can be initiated via the AWS Management Console or CLI, resulting in a brief outage but without triggering a full failover, to resolve certain configuration issues or refresh resources.[58] Manual failovers promote a replica instance to primary status, useful for testing or controlled recovery, and are performed using the failover-db-cluster operation.[59] Index bloat, which can degrade query performance due to fragmented storage, is monitored via dedicated CloudWatch metrics introduced in engine patch versions for Amazon DocumentDB 4.0 and 5.0; optimization involves rebuilding indexes during low-traffic periods to reclaim space without downtime.[12][34] Troubleshooting common issues such as connection throttling—often caused by exceeding per-instance limits or low memory—is supported by monitoring metrics like the number of throttled requests in a one-minute period.[54] Amazon DocumentDB Performance Insights provides a dashboard to visualize database load, identify high-impact queries by average active sessions, and filter by wait events or SQL statements, aiding in pinpointing and resolving performance degradation.[60] For instance, if CPU wait states dominate, it may indicate overload, prompting connection throttling or scaling adjustments.[61] Major version upgrades in Amazon DocumentDB support in-place operations from versions 3.6 or 4.0 to 5.0, preserving cluster endpoints, storage volumes, and tags to minimize reconfiguration efforts.[46] This process applies updates directly to the existing cluster during a maintenance window, with thorough compatibility testing ensuring smooth transitions for MongoDB-compatible workloads.[46][62] Upgrades to version 8.0, available since November 11, 2025, require using AWS Database Migration Service (DMS) to migrate from 5.0 clusters with minimal downtime.[42]Security and Compliance
Data Protection
Amazon DocumentDB provides robust data protection through multiple layers of encryption to secure data both at rest and in transit. Data at rest is encrypted using the AES-256 algorithm via the AWS Key Management Service (AWS KMS), employing envelope encryption where a data key is generated and managed by KMS to protect the underlying storage volume, including all user data, indexes, logs, automated backups, and manual snapshots.[63] This encryption is enabled at cluster creation and applies cluster-wide, with options for AWS-managed or customer-managed KMS keys, ensuring transparency to applications without performance impact.[63] For data in transit, Amazon DocumentDB enforces Transport Layer Security (TLS) encryption, requiring TLS 1.2 or higher and recommending TLS 1.3 for connections between clients and the cluster, utilizing Perfect Forward Secrecy (PFS) cipher suites like DHE and ECDHE.[64][65] Additionally, client-side field-level encryption is supported, compatible with MongoDB's encryption library, allowing sensitive data to be encrypted before transmission and stored in encrypted form within DocumentDB 5.0 and later versions.[65] Backup and recovery mechanisms in Amazon DocumentDB ensure data availability and resilience against loss. The service performs continuous automated backups, capturing daily full snapshots stored in Amazon Simple Storage Service (S3), which is designed for 99.999999999% (11 nines) durability.[2][65] These backups enable point-in-time recovery (PITR) to any second within the retention period, configurable from 1 to 35 days, allowing restoration to a previous state without data loss beyond the recovery point.[66][2] Manual snapshots can also be created for long-term retention and are encrypted using the same KMS keys as the cluster, further safeguarding archived data.[63][65] Overall data durability in Amazon DocumentDB is rated at 99.999999999% over a one-year period, achieved through a fault-tolerant storage system that replicates data six ways across three Availability Zones (AZs) in a multi-AZ deployment.[2][65] This replication ensures that the loss of up to two copies does not impact write availability, and up to three does not affect read availability, with self-healing mechanisms continuously scanning for and repairing errors.[65] Amazon DocumentDB meets stringent compliance requirements for regulated industries, including authorization under FedRAMP Moderate for standard AWS Regions and High for AWS GovCloud (US) Regions, as well as support for HIPAA and PCI DSS through AWS compliance programs and business associate agreements.[2][65] These certifications validate the service's cryptographic modules under FIPS 140-3 and enable use in environments handling sensitive health, financial, and government data.[65]Access and Auditing
Amazon DocumentDB provides role-based access control (RBAC) to manage database-level permissions, using built-in roles such asread, readWrite, dbAdmin, and root to define granular actions like querying, inserting, or administering databases and collections.[67] Users are created and managed via MongoDB-compatible commands on the admin database, such as db.createUser for authentication with username and password, allowing roles to be scoped to specific databases or the entire cluster.[67] Custom roles can be defined with precise privileges, supporting up to 1000 users per cluster and 100 user-defined roles.[67]
For enhanced security, Amazon DocumentDB supports IAM database authentication starting with version 5.0, enabling passwordless access using temporary AWS Security Token Service (STS) tokens for IAM users or roles.[68] This method requires specifying authSource=$external and authMechanism=MONGODB-AWS in connection URIs, with users managed in the $external database; it integrates seamlessly with services like EC2, Lambda, and EKS via assumed roles.[68] At the infrastructure level, access to DocumentDB resources like clusters and instances is controlled through IAM identity-based policies, which specify actions such as docdb:CreateDBCluster on ARNs like arn:aws:docdb:region:account-id:db-cluster:cluster-name.[69]
Auditing in Amazon DocumentDB is an opt-in feature that logs database events to Amazon CloudWatch Logs, capturing authentication attempts, data definition language (DDL) operations like creating or dropping collections, and data manipulation language (DML) actions including reads (e.g., find) and writes (e.g., insert, update).[70] To enable auditing, modify the audit_logs parameter group to include options like ddl, dml_read, dml_write, or all, then export logs via the AWS Management Console or CLI; logs are stored in JSON format under paths like /aws/docdb/cluster-name/audit in the same region as the cluster.[70] IAM authentication events can be filtered and monitored in these logs using patterns like { $.param.mechanism = "MONGODB-AWS" }, with no additional costs beyond standard CloudWatch pricing.[70][68] This auditing supports compliance requirements, such as those under FedRAMP Moderate and High authorizations in applicable AWS regions.[71]