Guide: MongoDB Security

11 MongoDB Security Features and Best Practices

What is MongoDB Security?

MongoDB is an open source NoSQL database system that stores and manages document-oriented data. You can use MongoDB for ad hoc queries, indexing, load balancing, data aggregation, and server-side JavaScript execution. 

MongoDB is an enterprise-grade database that provides security features like authentication, access control, and encryption. We’ll cover these features and additional best practices for securing your MongoDB deployment.

In this article:

MongoDB Security Features

1. MongoDB Authentication

Authentication is the process of validating the identity of an entity attempting to establish a connection. MongoDB supports several authentication mechanisms, including the following:

 

  • SCRAM (default)
  • x.509 Certificate Authentication
  • LDAP proxy authentication
  • Kerberos authentication

 

These mechanisms enable MongoDB to integrate into your existing authentication system and meet the requirements of different environments.

 

Learn more in our detailed guide to MongoDB authentication

2. MongoDB Authorization

Authorization is the process of determining the specific permissions of the entity attempting to connect. MongoDB employs role-based access control (RBAC) to govern access. It enables granting each user one or more roles that determine their access to database resources and operations.

 

Learn more in our detailed guide to MongoDB authorization

3. MongoDB Auditing

MongoDB Enterprise offers advanced auditing capabilities. It logs access and actions executed against the database and captures administrative actions (DDL), including schema operations, authorization, read and write (DML) operations, and authentication. 

 

Here are key features of MongoDB auditing: 

 

  • Construct and filter audit trails—you can apply this for operations against MongoDB, including DML, DCL, and DDL, without relying on third-party tools. For example, you can log and audit user identities that accessed specific documents and their changes to the database during the session.
  • Configure MongoDB logging—you can define MongoDB to log actions or apply filters that capture specific users, roles, or events. You can write the audit log to multiple destinations in various formats, including the console and syslog and a BSON or JSON file. You can load it to MongoDB and analyze it to identify relevant events.

 

A MongoDB server writes events to the attached storage. Database administrators can use their existing tools to merge these events into a single audit log offering a cluster-wide view of operations.

4. MongoDB Encryption

MongoDB lets administrators encrypt data in transit and data at rest in permanent storage and backup repositories. Users can encrypt data at the field level, protecting sensitive information from administrators and other legitimate users while data is used on the server.

Learn more in our detailed guide to MongoDB encryption

5. Database Monitoring and Upgrading

Proactive monitoring of all components within an IT environment is key to achieving the visibility needed to ensure performance, availability, and security. It helps detect and fix potential flaws before they negatively impact the system’s performance. It also helps identify potential exploits in real-time to reduce the impact of a security breach. 

 

MongoDB ships with various tools, including mongostat and mongotop, that can be used to monitor your database. Here are additional tools that work with MongoDB:

 

  • MongoDB Ops Manager—available with MongoDB Enterprise Advanced, provides comprehensive monitoring capabilities to run MongoDB on your infrastructure. It helps you easily monitor, secure, back up, and scale MongoDB.
  • MongoDB Cloud Manager—this cloud-hosted management tool for MongoDB offers similar capabilities to those offered by Ops Manager, including featuring charts, custom dashboards, and automated alerting. 

 

Ops and Cloud Manager can track over 100 database and systems health metrics, including replication status, CPU and memory utilization, operations counters, open connections, node status, and queues. Additionally, Cloud Manager sends alerts when a host is exposed to the Internet.

 

Learn more in our detailed guide to MongoDB monitoring

MongoDB Security Best Practices

6. Create Separate Security Credentials

To enable authentication, create login credentials for each user or process that accesses MongoDB. In case multiple users need administrative access to the database, avoid sharing credentials, because this increases the risk of account compromise and makes it difficult to monitor administrative access. Issue unique credentials to everyone and assign permissions based on roles.

7. Use Role-Based Access Control

Instead of granting authorizations to individual users, associate authorizations with roles such as application server manager, database administrator, developer, and BI platform. MongoDB provides predefined roles such as dbAdmin, dbOwner, and clusterAdmin. These roles can be further customized to meet the needs of specific teams and functional areas.

8. Encrypt Your Data

If a data breach occurs, unauthorized users will gain access to your data. Encrypting data reduces the damage in case of a data breach by making sensitive data unreadable by anyone without a decryption key. In MongoDB, encryption can be applied in several ways:

 

  • Encrypting data at rest—encrypt your data where it is stored. Encryption at rest is not available in MongoDB Community Edition, but is offered in MongoDB Enterprise or the MongoDB Atlas managed service.
  • Encrypting data in transit—all data in transit in MongoDB is encrypted using SSL/TLS by default.

9. Use the Official MongoDB Packages

All popular Linux distributions have MongoDB packages in their respective repositories, making it easy to install MongoDB. However, you need to make sure that the package is an official MongoDB package and has passed stability checks. In addition, you need to make sure that the community maintaining your operating system repo are up to date with the latest MongoDB security updates.

 

For these reasons, MongoDB recommends using their official package repositories instead of repositories specific to operating system distributions.

10. Auditing and Logs

An audit trail tracks who made changes to your database configuration and when. Through its auditing framework, MongoDB Enterprise provides a complete audit trail of administrative actions.

11. Apply MongoDB Security Fixes

Attackers are constantly looking for new vulnerabilities in database systems. Therefore, it is important to keep track of security updates and bug fixes released by MongoDB maintainers.  See MongoDB’s dedicated alerts page which immediately notifies about new security vulnerabilities and fixes.

 

If you are using the official package repositories, you’ll immediately have access to security releases. This is important to keep patches up-to-date and avoid technical debt.

MongoDB Security with Satori

To learn more about how Satori helps secure your cloud data, go here. MongoDB support is coming soon, and we’d love to understand your needs.