Security Checklist

This documents provides a list of security measures that you should implement toprotect your MongoDB installation.

Enable Access Control and Enforce Authentication

Enable access control and specify the authentication mechanism. You canuse the default MongoDB authentication mechanism or an existing externalframework. Authentication requires that all clients and servers providevalid credentials before they can connect to the system. In clustereddeployments, enable authentication for each MongoDB server.

See Authentication andEnable Access Control.

Configure Role-Based Access Control

Create a user administrator first, then create additional users.Create a unique MongoDB user for each person and application thataccesses the system.

Create roles that define the exact access a set of users needs. Follow aprinciple of least privilege. Then create users and assign them only theroles they need to perform their operations. A user can be a person or aclient application.

See Role-Based Access Control andManage Users and Roles.

Encrypt Communication

Configure MongoDB to use TLS/SSL for all incoming and outgoingconnections. Use TLS/SSL to encrypt communication betweenmongod and mongos components of a MongoDBdeployment as well as between all applications and MongoDB.

Starting in version 4.0, MongoDB uses the native TLS/SSL OS libraries:

WindowsSecure Channel (Schannel)
Linux/BSDOpenSSL
macOSSecure Transport

Note

Starting in version 4.0, MongoDB disables support for TLS 1.0encryption on systems where TLS 1.1+ is available. Formore details, see Disable TLS 1.0.

See Configure mongod and mongos for TLS/SSL.

Encrypt and Protect Data

Starting with MongoDB Enterprise 3.2, the WiredTiger storage engine’snative Encryption at Rest can be configured toencrypt data in the storage layer.

If you are not using WiredTiger’s encryption at rest, MongoDB datashould be encrypted on each host using file-system, device, orphysical encryption. Protect MongoDB data using file-system permissions.MongoDB data includes data files, configuration files, auditing logs,and key files.

Limit Network Exposure

Ensure that MongoDB runs in a trusted network environment and limitthe interfaces on which MongoDB instances listen for incomingconnections. Allow only trusted clients to access the networkinterfaces and ports on which MongoDB instances are available.

Note

Starting with MongoDB 3.6, MongoDB binaries, mongod andmongos, bind to localhost by default.From MongoDB versions 2.6 to 3.4, only the binaries from theofficial MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives)and DEB (Debian, Ubuntu, and derivatives) packages would bind tolocalhost by default. To learn more about this change, seeLocalhost Binding Compatibility Changes.

See Network and Configuration Hardening and the bindIpsetting.

Audit System Activity

Track access and changes to database configurations and data.MongoDB Enterpriseincludes a system auditing facility that can recordsystem events (e.g. user operations, connection events) on aMongoDB instance. These audit records permit forensic analysis andallow administrators to verify proper controls.

See Auditing and Configure Auditing.

Run MongoDB with a Dedicated User

Run MongoDB processes with a dedicated operating system user account.Ensure that the account has permissions to access data but no unnecessarypermissions.

See Install MongoDB for more information on running MongoDB.

Run MongoDB with Secure Configuration Options

MongoDB supports the execution of JavaScript code for certainserver-side operations: mapReduce and$where. If you do not use these operations, disableserver-side scripting by using the —noscripting option on the command line.

Use only the MongoDB wire protocol on production deployments.

Keep input validation enabled. MongoDB enables input validation by defaultthrough the wireObjectCheck setting. This ensures that alldocuments stored by the mongod instance are valid BSON.

See Network and Configuration Hardening for more information onhardening MongoDB configuration.

Request a Security Technical Implementation Guide (where applicable)

The Security Technical Implementation Guide (STIG) contains securityguidelines for deployments within the United States Department ofDefense. MongoDB Inc. provides its STIG, upon request, for situationswhere it is required. Please request a copy for moreinformation.

Consider Security Standards Compliance

For applications requiring HIPAA or PCI-DSS compliance, please refer to theMongoDB Security Reference Architectureto learn more about how you can use the key securitycapabilities to build compliant application infrastructure.