What is MongoDB Security?
MongoDB is an open source NoSQL database system that stores and manages document-oriented data. You can use MongoDB for ad hoc queries, indexing, load balancing, data aggregation, and server-side JavaScript execution.
MongoDB is an enterprise-grade database that provides security features like authentication, access control, and encryption. We’ll cover these features and additional best practices for securing your MongoDB deployment.
In this article:
MongoDB Security Features
1. MongoDB Authentication
Authentication is the process of validating the identity of an entity attempting to establish a connection. MongoDB supports several authentication mechanisms, including the following:
- SCRAM (default)
- x.509 Certificate Authentication
- LDAP proxy authentication
- Kerberos authentication
These mechanisms enable MongoDB to integrate into your existing authentication system and meet the requirements of different environments.
Learn more in our detailed guide to MongoDB authentication
2. MongoDB Authorization
Authorization is the process of determining the specific permissions of the entity attempting to connect. MongoDB employs role-based access control (RBAC) to govern access. It enables granting each user one or more roles that determine their access to database resources and operations.
Learn more in our detailed guide to MongoDB authorization
3. MongoDB Auditing
MongoDB Enterprise offers advanced auditing capabilities. It logs access and actions executed against the database and captures administrative actions (DDL), including schema operations, authorization, read and write (DML) operations, and authentication.
Here are key features of MongoDB auditing:
- Construct and filter audit trails—you can apply this for operations against MongoDB, including DML, DCL, and DDL, without relying on third-party tools. For example, you can log and audit user identities that accessed specific documents and their changes to the database during the session.
- Configure MongoDB logging—you can define MongoDB to log actions or apply filters that capture specific users, roles, or events. You can write the audit log to multiple destinations in various formats, including the console and syslog and a BSON or JSON file. You can load it to MongoDB and analyze it to identify relevant events.
A MongoDB server writes events to the attached storage. Database administrators can use their existing tools to merge these events into a single audit log offering a cluster-wide view of operations.
4. MongoDB Encryption
MongoDB lets administrators encrypt data in transit and data at rest in permanent storage and backup repositories. Users can encrypt data at the field level, protecting sensitive information from administrators and other legitimate users while data is used on the server.
Learn more in our detailed guide to MongoDB encryption
5. Database Monitoring and Upgrading
Proactive monitoring of all components within an IT environment is key to achieving the visibility needed to ensure performance, availability, and security. It helps detect and fix potential flaws before they negatively impact the system’s performance. It also helps identify potential exploits in real-time to reduce the impact of a security breach.
MongoDB ships with various tools, including mongostat and mongotop, that can be used to monitor your database. Here are additional tools that work with MongoDB:
- MongoDB Ops Manager—available with MongoDB Enterprise Advanced, provides comprehensive monitoring capabilities to run MongoDB on your infrastructure. It helps you easily monitor, secure, back up, and scale MongoDB.
- MongoDB Cloud Manager—this cloud-hosted management tool for MongoDB offers similar capabilities to those offered by Ops Manager, including featuring charts, custom dashboards, and automated alerting.
Ops and Cloud Manager can track over 100 database and systems health metrics, including replication status, CPU and memory utilization, operations counters, open connections, node status, and queues. Additionally, Cloud Manager sends alerts when a host is exposed to the Internet.
Learn more in our detailed guide to MongoDB monitoring
MongoDB Security Best Practices
6. Create Separate Security Credentials
To enable authentication, create login credentials for each user or process that accesses MongoDB. In case multiple users need administrative access to the database, avoid sharing credentials, because this increases the risk of account compromise and makes it difficult to monitor administrative access. Issue unique credentials to everyone and assign permissions based on roles.
7. Use Role-Based Access Control
Instead of granting authorizations to individual users, associate authorizations with roles such as application server manager, database administrator, developer, and BI platform. MongoDB provides predefined roles such as dbAdmin, dbOwner, and clusterAdmin. These roles can be further customized to meet the needs of specific teams and functional areas.
8. Encrypt Your Data
If a data breach occurs, unauthorized users will gain access to your data. Encrypting data reduces the damage in case of a data breach by making sensitive data unreadable by anyone without a decryption key. In MongoDB, encryption can be applied in several ways:
- Encrypting data at rest—encrypt your data where it is stored. Encryption at rest is not available in MongoDB Community Edition, but is offered in MongoDB Enterprise or the MongoDB Atlas managed service.
- Encrypting data in transit—all data in transit in MongoDB is encrypted using SSL/TLS by default.
9. Use the Official MongoDB Packages
All popular Linux distributions have MongoDB packages in their respective repositories, making it easy to install MongoDB. However, you need to make sure that the package is an official MongoDB package and has passed stability checks. In addition, you need to make sure that the community maintaining your operating system repo are up to date with the latest MongoDB security updates.
For these reasons, MongoDB recommends using their official package repositories instead of repositories specific to operating system distributions.
10. Auditing and Logs
An audit trail tracks who made changes to your database configuration and when. Through its auditing framework, MongoDB Enterprise provides a complete audit trail of administrative actions.
11. Apply MongoDB Security Fixes
Attackers are constantly looking for new vulnerabilities in database systems. Therefore, it is important to keep track of security updates and bug fixes released by MongoDB maintainers. See MongoDB’s dedicated alerts page which immediately notifies about new security vulnerabilities and fixes.
If you are using the official package repositories, you’ll immediately have access to security releases. This is important to keep patches up-to-date and avoid technical debt.
MongoDB Security with Satori
Satori’s data security platform enables streamlined access to data in MongoDB by automating access controls and security. With Satori, you can enable just-in-time access to MongoDB and have a unified place to store all logs and manage access control.
To learn more: