MongoDB is a popular NoSQL database that provides many features for developers to build modern applications. However, like any other database, it is important to secure your MongoDB installation to protect sensitive data and prevent unauthorized access. In this tutorial, we will go through a security checklist that will help you secure your MongoDB deployment.
Pre-production Checklist/Considerations
Enable Access Control and Enforce Authentication
The first step to securing your MongoDB installation is to enable access control and specify an authentication mechanism. MongoDB supports several authentication mechanisms that clients can use to verify their identity, including SCRAM, x.509 Certificate Authentication, LDAP proxy authentication, and Kerberos authentication. You can enable access control and specify an authentication mechanism by following the instructions in the MongoDB documentation.
Configure Role-Based Access Control
Create a user administrator first, then create additional users. Create a unique MongoDB user for each person/application that accesses the system. Follow the principle of least privilege, create roles that define the exact access rights required by a set of users, and then create users and assign them only the roles they need to perform their operations. You can create roles and manage users and roles by following the instructions in the MongoDB documentation.
Encrypt Communication (TLS/SSL)
Configure MongoDB to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt communication between mongod and mongos components of a MongoDB deployment as well as between all applications and MongoDB. You can configure MongoDB to use TLS/SSL by following the instructions in the MongoDB documentation.
Encrypt and Protect Data
You can encrypt data in the storage layer with the WiredTiger storage engine's native Encryption at Rest. If you are not using WiredTiger's encryption at rest, MongoDB data should be encrypted on each host using file-system, device, or physical encryption. You should also protect MongoDB data using file-system permissions. MongoDB data includes data files, configuration files, auditing logs, and key files. You can use Queryable Encryption or Client-Side Field Level Encryption to encrypt fields in documents application-side prior to transmitting data over the wire to the server. Collect logs to a central log store. These logs contain database authentication attempts including source IP addresses.
Limit Network Exposure
Ensure that MongoDB runs in a trusted network environment and configure firewall or security groups to control inbound and outbound traffic for your MongoDB instances. Disable direct SSH root access. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.
Audit System Activity
Track access and changes to database configurations and data. MongoDB Enterprise includes a system auditing facility that can record system events (including user operations and connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to exercise proper controls. You can set up filters to record only specific events, such as authentication events.
Run MongoDB with a Dedicated User
Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.
Run MongoDB with Secure Configuration Options
MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, $where, $accumulator, and $function. If you do not use these operations, disable server-side scripting by using the --noscripting option. Keep input validation enabled. MongoDB enables input validation by default through the net.wireObjectCheck setting. This ensures that all documents stored by the mongod instance are valid BSON.
Request a Security Technical Implementation Guide (where applicable)
The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense. MongoDB Inc. provides its STIG, upon request.
Consider Security Standards Compliance
For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security