awslabs · vywang-aws · Feb 20, 2026
@@ -17,6 +17,7 @@ Use the **awspricing** MCP server to get accurate cost estimates before generati
 | Aurora PostgreSQL | `AmazonRDS`         | Filter: `databaseEngine` = "Aurora PostgreSQL" |
 | Aurora MySQL      | `AmazonRDS`         | Filter: `databaseEngine` = "Aurora MySQL"      |
 | RDS PostgreSQL    | `AmazonRDS`         | Filter: `databaseEngine` = "PostgreSQL"        |
+| DocumentDB        | `AmazonDocDB`       | MongoDB-compatible managed database            |
 | ALB               | `AWSELB`            | Application Load Balancer                      |
 | S3                | `AmazonS3`          | Storage and requests                           |
 | CloudFront        | `AmazonCloudFront`  | CDN distribution                               |
@@ -53,13 +54,35 @@ Aurora Serverless v2 charges per ACU-hour (Aurora Capacity Unit).
 
 - ~$180-360/month depending on load
 
+## DocumentDB Serverless Pricing
+
+DocumentDB Serverless charges per DCU-hour (DocumentDB Capacity Unit),
+storage (GB-month), and I/O (standard config only).
+
+- Minimum: 0.5 DCU, scales in 0.5 DCU increments
+- 1 DCU ≈ 2 GiB memory with corresponding CPU and networking
+- Standard: $0.0822/DCU-hour, I/O-Optimized: $0.0905/DCU-hour (us-east-1)
+
+**Dev estimate (0.5-2 DCU range, 10GB storage):**
+
+- ~$35-120/month depending on usage patterns (scales to 0.5 DCU when idle)
+
+**Production estimate (2-8 DCU range, 100GB storage, multi-AZ):**
+
+- ~$130-400/month depending on load
+
 ## Quick Reference Estimates
 
 **Small web app (Fargate + Aurora Serverless v2 + ALB):**
 
 - Dev: ~$70-100/month
 - Production: ~$200-400/month
 
+**Small web app (Fargate + DocumentDB Serverless + ALB):**
+
+- Dev: ~$70-155/month
+- Production: ~$200-450/month
+
 **Static site / SPA (Amplify Hosting):**
 
 - Low traffic: ~$0-5/month (free tier covers most small sites)

@@ -34,6 +34,7 @@ Use `amplify_docs` topic in awsknowledge MCP for framework-specific guidance
 | ----------------- | ---------------------- | ---------------------- | ------------------ |
 | PostgreSQL        | Aurora Serverless v2   | Aurora Serverless v2   | "simple RDS" → RDS |
 | MySQL             | Aurora Serverless v2   | Aurora Serverless v2   | "simple RDS" → RDS |
+| DocumentDB / MongoDB | DocumentDB Serverless | DocumentDB Serverless | "provisioned" → DocumentDB provisioned |
 | NoSQL / Key-Value | DynamoDB               | DynamoDB               | -                  |
 | Redis / Caching   | ElastiCache Serverless | ElastiCache Serverless | -                  |
 | Full-text search  | OpenSearch Serverless  | OpenSearch Serverless  | -                  |
@@ -44,6 +45,15 @@ Scales to near-zero in dev (0.5 ACU minimum), scales up automatically for produc
 Single choice works for both environments. Only use provisioned RDS if user has
 specific cost constraints or compliance requirements.
 
+### Why DocumentDB Serverless for MongoDB
+
+DocumentDB Serverless is the on-demand, auto-scaling configuration of Amazon DocumentDB.
+It dynamically adjusts capacity based on application demand so you only pay for what you
+use. Ideal for dev/test, variable workloads, and new applications where capacity needs
+are unknown. Compatible with MongoDB 3.6, 4.0, 5.0 and 8.0 APIs.
+Use provisioned DocumentDB only when you have predictable, steady-state workloads
+or specific compliance requirements that need fixed instance sizing.
+
 ## Storage
 
 | Pattern       | Default         |

@@ -25,6 +25,7 @@ Apply these patterns automatically when generating IaC:
 | --------------- | --------------------------- | -------------------------- | ---------------- |
 | S3 buckets      | SSE-S3 (AES-256)            | SSE-KMS (customer-managed) | "no encryption"  |
 | RDS/Aurora      | Encrypted (AWS-managed key) | Encrypted (CMK)            | -                |
+| DocumentDB      | Encrypted (AWS-managed key) | Encrypted (CMK)            | -                |
 | EBS volumes     | Encrypted                   | Encrypted                  | -                |
 | ALB             | TLS 1.2+ only               | TLS 1.2+ only              | -                |
 | Secrets Manager | AWS-managed key             | CMK                        | -                |
@@ -60,6 +61,7 @@ When serving static content via CloudFront:
 | Fargate tasks | Private subnet + NAT Gateway     | Private subnet + NAT Gateway     |
 | ALB           | Public subnet                    | Public subnet                    |
 | RDS/Aurora    | Private subnet (no public IP)    | Private subnet (no public IP)    |
+| DocumentDB    | Private subnet (no public IP)    | Private subnet (no public IP)    |
 | Lambda        | VPC-attached if DB access needed | VPC-attached if DB access needed |
 
 ### Why private subnets for compute
@@ -96,6 +98,7 @@ Consult `awsiac` MCP for IAM policy patterns by service.
 | ALB          | 443 from 0.0.0.0/0           | Fargate SG only    |
 | Fargate      | ALB SG only (on app port)    | 443 (HTTPS), DB SG |
 | RDS/Aurora   | Fargate SG only (on DB port) | None               |
+| DocumentDB   | Fargate SG only (port 27017) | None               |
 | Lambda (VPC) | None                         | 443, DB SG         |
 
 ### Why deny-by-default
@@ -160,6 +163,7 @@ Before deployment, run available checks:
 | ALB Access Logs | Disabled               | Enabled (S3 destination)   |
 | Container logs  | CloudWatch Logs        | CloudWatch Logs            |
 | RDS/Aurora logs | Error log only         | Error + slow query + audit |
+| DocumentDB logs | Profiler (slow ops)    | Profiler + audit           |
 | S3 Access Logs  | Disabled               | Enabled                    |
 
 ### Why minimal logging in dev
@@ -176,6 +180,7 @@ When user requests "production" or "prod", additionally enable:
 - [ ] ALB Access Logs
 - [ ] S3 Access Logs
 - [ ] RDS Performance Insights
+- [ ] DocumentDB profiler + audit logs exported to CloudWatch Logs
 - [ ] AWS WAF on ALB (if public-facing web app)
 - [ ] GuardDuty (recommend, don't auto-enable)
 - [ ] Run `checkov` or `cfn-nag` before deployment