chore(mongodbatlas): enhance metadata for clusters service (#9657)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

prowler/CHANGELOG.md

@@ -18,6 +18,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update Kubernetes RBAC service metadata to new format [(#9678)](https://github.com/prowler-cloud/prowler/pull/9678)
 - Update Kubernetes Scheduler service metadata to new format [(#9679)](https://github.com/prowler-cloud/prowler/pull/9679)
 - Update MongoDB Atlas Organizations service metadata to new format [(#9658)](https://github.com/prowler-cloud/prowler/pull/9658)
+- Update MongoDB Atlas clusters service metadata to new format [(#9657)](https://github.com/prowler-cloud/prowler/pull/9657)
 
 ---
 

prowler/providers/mongodbatlas/services/clusters/clusters_authentication_enabled/clusters_authentication_enabled.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "clusters_authentication_enabled",
-  "CheckTitle": "Ensure MongoDB Atlas clusters have authentication enabled",
+  "CheckTitle": "Cluster has authentication enabled",
   "CheckType": [],
   "ServiceName": "clusters",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "MongoDBAtlasCluster",
+  "Severity": "critical",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "database",
-  "Description": "Ensure MongoDB Atlas clusters have authentication enabled to prevent unauthorized access",
-  "Risk": "Without authentication enabled, MongoDB Atlas clusters may be vulnerable to unauthorized access, potentially exposing sensitive data or allowing malicious actions",
+  "Description": "**MongoDB Atlas clusters** enforce **database authentication** for client connections (`authEnabled`).\n\nIdentifies clusters where authentication is not required for access.",
+  "Risk": "Without authentication, anyone with network reach can access the database, compromising **confidentiality** and **integrity**. Attackers can exfiltrate data, modify or delete records, and create backdoor users, leading to outages and data loss that impact **availability**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.mongodb.com/docs/atlas/security/quick-start/",
+    "https://www.mongodb.com/docs/atlas/security-ldaps-okta/",
+    "https://www.mongodb.com/docs/atlas/security/config-db-auth/",
+    "https://www.mongodb.com/docs/atlas/security-ldaps-onelogin/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "atlas dbusers create --username <USERNAME> --password <PASSWORD> --role readWriteAnyDatabase@admin --projectId <PROJECT_ID>",
       "NativeIaC": "",
-      "Other": "https://www.mongodb.com/docs/atlas/security/config-db-auth/",
-      "Terraform": ""
+      "Other": "1. In the Atlas UI, open your project and go to Security > Database Access\n2. Click Add New Database User\n3. Select Username/Password, enter a username and password\n4. Assign a role (e.g., readWriteAnyDatabase on admin)\n5. Click Add User to save\n\nThis creates a database user, enabling authentication for the cluster",
+      "Terraform": "```hcl\n# Create a MongoDB Atlas database user to enable authentication\nresource \"mongodbatlas_database_user\" \"example_resource_name\" {\n  project_id         = \"<example_resource_id>\"\n  username           = \"<example_resource_name>\"\n  password           = \"<PASSWORD>\"\n  auth_database_name = \"admin\"  # Critical: SCRAM user on admin enables DB auth\n\n  roles {                         # Minimal role assignment required to create the user\n    role_name     = \"readWriteAnyDatabase\"\n    database_name = \"admin\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable authentication for MongoDB Atlas clusters by setting authEnabled to true in the cluster configuration.",
-      "Url": "https://www.mongodb.com/docs/atlas/security/config-db-auth/"
+      "Text": "Enable and enforce **database authentication** on all clusters.\n- Prefer strong methods (X.509, OIDC, AWS IAM) over static passwords\n- Grant **least privilege** roles and avoid shared accounts\n- Rotate credentials/keys\n- Combine with IP access lists or private endpoints for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/clusters_authentication_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/mongodbatlas/services/clusters/clusters_backup_enabled/clusters_backup_enabled.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "clusters_backup_enabled",
-  "CheckTitle": "Ensure MongoDB Atlas clusters have backup enabled",
+  "CheckTitle": "Cluster has backup enabled",
   "CheckType": [],
   "ServiceName": "clusters",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "MongoDBAtlasCluster",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "database",
-  "Description": "Ensure MongoDB Atlas clusters have backup enabled to protect against data loss",
-  "Risk": "Without backup enabled, MongoDB Atlas clusters are vulnerable to data loss in case of failures, corruption, or accidental deletion",
+  "Description": "**MongoDB Atlas clusters** have **automated backups** enabled (`cloudBackup`/`backup_enabled`) to generate snapshots and support restore operations",
+  "Risk": "Without **backups**, deleted or corrupted records are irrecoverable, undermining **integrity**. Failures or bad deployments can cause prolonged **unavailability** with no restore path. Lacking **point-in-time recovery** prevents precise rollbacks, amplifying the blast radius of mistakes or ransomware.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://mongodb.prakticum-team.ru/docs/atlas/recover-pit-continuous-cloud-backup/",
+    "https://mongodb.prakticum-team.ru/docs/atlas/backup/cloud-backup/dedicated-cluster-backup/",
+    "https://www.mongodb.com/docs/atlas/cli/v1.38/command/atlas-backups-compliancepolicy-pointintimerestores-enable/",
+    "https://www.mongodb.com/docs/atlas/backup-restore-cluster/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "curl -sS -u \"<PUBLIC_KEY>:<PRIVATE_KEY>\" --digest -H \"Content-Type: application/json\" -X PATCH \"https://cloud.mongodb.com/api/atlas/v1.0/groups/<PROJECT_ID>/clusters/<CLUSTER_NAME>\" --data '{\"cloudBackup\":true}'",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Sign in to MongoDB Atlas and open your project\n2. Go to Database > Clusters\n3. For the target cluster, click the three dots (...) > Edit Configuration\n4. Under Additional Settings, toggle Cloud Backup to On\n5. Click Save Changes",
+      "Terraform": "```hcl\nresource \"mongodbatlas_cluster\" \"<example_resource_name>\" {\n  project_id = \"<example_resource_id>\"\n  name       = \"<example_resource_name>\"\n\n  cloud_backup = true  # Critical: enables Cloud Backups so the check passes\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable backup for MongoDB Atlas clusters by setting backupEnabled to true in the cluster configuration.",
-      "Url": "https://www.mongodb.com/docs/atlas/backup-restore-cluster/"
+      "Text": "Enable **Cloud Backups** on all production clusters and define backup schedules and retention that meet business **RPO/RTO**. For critical data, enable **point-in-time recovery**. Apply **least privilege** and **separation of duties** to backup access, protect against deletion with policy, monitor backup health, and perform regular test restores.",
+      "Url": "https://hub.prowler.com/check/clusters_backup_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/mongodbatlas/services/clusters/clusters_encryption_at_rest_enabled/clusters_encryption_at_rest_enabled.metadata.json

@@ -1,30 +1,35 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "clusters_encryption_at_rest_enabled",
-  "CheckTitle": "Ensure MongoDB Atlas clusters have encryption at rest enabled",
+  "CheckTitle": "Cluster has encryption at rest enabled with a supported provider or EBS volume encryption",
   "CheckType": [],
   "ServiceName": "clusters",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "MongoDBAtlasCluster",
+  "Severity": "critical",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "database",
-  "Description": "Ensure that MongoDB Atlas clusters have encryption at rest enabled to protect data stored on disk. Encryption at rest provides an additional layer of security by encrypting data before it's written to storage, protecting against unauthorized access to the underlying storage media.",
-  "Risk": "If encryption at rest is not enabled on MongoDB Atlas clusters, sensitive data stored in the database is vulnerable to unauthorized access if the underlying storage is compromised. This could lead to data breaches, compliance violations, and exposure of sensitive information.",
-  "RelatedUrl": "https://www.mongodb.com/docs/atlas/security-kms-encryption/",
+  "Description": "**MongoDB Atlas clusters** are evaluated for **encryption at rest**. The check looks for a supported encryption provider configured (not `NONE`) or storage-level encryption enabled (e.g., `encryptEBSVolume=true`). Unsupported providers or explicit disablement are highlighted.",
+  "Risk": "Absent or misconfigured at-rest encryption allows disks and snapshots to be read if storage, backups, or images are accessed by attackers or insiders. This exposes sensitive records, erodes **confidentiality**, and enables quiet **data exfiltration** after host or control-plane compromise.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.mongodb.com/docs/atlas/security-kms-encryption/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In Atlas, go to Security > Advanced\n2. Toggle \"Encryption at Rest using your Key Management\" to On and enter your provider details (AWS KMS/Azure Key Vault/GCP KMS)\n3. Save\n4. Go to Database > Clusters, open the menu for <example_resource_name> and click Edit Configuration\n5. Expand Additional Settings and set \"Manage your own encryption keys\" to Yes\n6. Review Changes > Apply Changes",
+      "Terraform": "```hcl\n# Enable project-level KMS\nresource \"mongodbatlas_encryption_at_rest\" \"<example_resource_name>\" {\n  project_id = \"<example_resource_id>\"\n  aws_kms_config {\n    enabled                = true  # critical: turns on KMS for the project so clusters can use it\n    customer_master_key_id = \"<KMS_KEY_ID>\"\n    region                 = \"<AWS_REGION>\"\n    role_id                = \"<ATLAS_AWS_ROLE_ID>\"\n  }\n}\n\n# Set the cluster to use a supported encryption provider\nresource \"mongodbatlas_advanced_cluster\" \"<example_resource_name>\" {\n  project_id                  = \"<example_resource_id>\"\n  name                        = \"<example_resource_name>\"\n  cluster_type                = \"REPLICASET\"\n  encryption_at_rest_provider = \"AWS\"  # critical: enables encryption at rest with a supported provider\n\n  replication_specs {\n    region_configs {\n      provider_name = \"AWS\"\n      region_name   = \"<AWS_REGION>\"\n      electable_specs {\n        instance_size = \"M10\"\n        node_count    = 3\n      }\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable encryption at rest for your MongoDB Atlas clusters. This can be configured when creating a new cluster or by modifying an existing cluster's settings. Choose an appropriate encryption provider (AWS KMS, Azure Key Vault, or Google Cloud KMS) based on your cloud provider and security requirements.",
-      "Url": "https://www.mongodb.com/docs/atlas/security-kms-encryption/"
+      "Text": "Enable **encryption at rest** with a supported provider and prefer **customer-managed keys** to control lifecycle and access. Apply least-privilege to key usage, restrict KMS connectivity, and monitor key health and rotation. If using AWS, also ensure volumes are encrypted. This enforces defense-in-depth and data confidentiality.",
+      "Url": "https://hub.prowler.com/check/clusters_encryption_at_rest_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/mongodbatlas/services/clusters/clusters_tls_enabled/clusters_tls_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "clusters_tls_enabled",
-  "CheckTitle": "Ensure MongoDB Atlas clusters have TLS authentication required",
+  "CheckTitle": "Cluster has TLS authentication enabled",
   "CheckType": [],
   "ServiceName": "clusters",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "MongoDBAtlasCluster",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "database",
-  "Description": "Ensure MongoDB Atlas clusters have TLS authentication required to secure data in transit",
-  "Risk": "Without TLS enabled, MongoDB Atlas clusters are vulnerable to man-in-the-middle attacks and data interception during transmission",
+  "Description": "**MongoDB Atlas clusters** require **TLS/SSL** for client connections to encrypt data in transit (`sslEnabled=true`).",
+  "Risk": "Without enforced **TLS**, traffic can be intercepted or altered, degrading **confidentiality** and **integrity**.\n\nAttackers can run **man-in-the-middle** attacks, steal credentials or session tokens, and inject/replay queries, leading to unauthorized data access.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.mongodb.com/docs/atlas/setup-cluster-security/#encryption-in-transit",
+    "https://www.mongodb.com/docs/compass/connect/advanced-connection-options/tls-ssl-connection/",
+    "https://www.mongodb.com/docs/manual/tutorial/configure-ssl-clients/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "curl -u \"<PUBLIC_KEY>:<PRIVATE_KEY>\" --digest -H \"Content-Type: application/json\" -X PATCH \"https://cloud.mongodb.com/api/atlas/v1.5/groups/<PROJECT_ID>/clusters/<CLUSTER_NAME>\" --data '{\"sslEnabled\": true}'",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to MongoDB Atlas and open the target project\n2. Go to Project Settings > Security\n3. Set Minimum TLS Protocol Version to TLS 1.2 (or higher)\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable TLS for MongoDB Atlas clusters by setting sslEnabled to true in the cluster configuration.",
-      "Url": "https://www.mongodb.com/docs/atlas/setup-cluster-security/#encryption-in-transit"
+      "Text": "Enforce **TLS 1.2+** for all connections and keep it mandatory (`sslEnabled=true`).\n\nApply **zero trust** and **defense in depth**: use CA-signed certificates, disable `tlsInsecure` and similar bypasses, rotate certificates, and restrict access via private networking or trusted IP ranges.",
+      "Url": "https://hub.prowler.com/check/clusters_tls_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json

@@ -1,13 +1,13 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "projects_auditing_enabled",
-  "CheckTitle": "MongoDB Atlas project has database auditing enabled",
+  "CheckTitle": "Project has database auditing enabled",
   "CheckType": [],
   "ServiceName": "projects",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "MongoDBAtlasProject",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "governance",
   "Description": "**MongoDB Atlas projects** with **database auditing** capture database operations and administrative events. The evaluation looks for an active audit configuration and, *when present*, notes any configured `audit_filter` that scopes which events are recorded.",
   "Risk": "Without auditing, critical actions lack traceability, reducing **detectability** and impeding **forensics**. Attackers can mask unauthorized reads/writes and privilege changes, threatening data **confidentiality** and **integrity**, and weakening non-repudiation and incident response.",

prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json

@@ -1,13 +1,13 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "projects_network_access_list_exposed_to_internet",
-  "CheckTitle": "MongoDB Atlas project network access list has entries and excludes 0.0.0.0/0, ::/0, 0.0.0.0, and ::",
+  "CheckTitle": "Project network access list has entries and excludes 0.0.0.0/0, ::/0, 0.0.0.0, and ::",
   "CheckType": [],
   "ServiceName": "projects",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "MongoDBAtlasProject",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "governance",
   "Description": "**MongoDB Atlas project network access list** configuration is evaluated for entries that allow access from anywhere (`0.0.0.0/0`, `::/0`, `0.0.0.0`, `::`) or for missing access lists, instead of restricting connections to specific IPs or CIDRs.",
   "Risk": "Internet-wide access enables scanning, brute force, and credential stuffing against database endpoints. A successful compromise can cause data exfiltration (**confidentiality**), unauthorized writes or drops (**integrity**), and service disruption or lockout (**availability**).",