Enable Access Control and Enforce Authentication
Enable access control and specify the authentication mechanism. You can use the default MongoDB authentication mechanism or an existing external framework. Authentication requires that all clients and servers provide valid credentials before they can connect to the system. In clustered deployments, enable authentication for each MongoDB server.
See Authentication and Enable Auth.
Configure Role-Based Access Control
Create a user administrator first, then create additional users. Create a unique MongoDB user for each person and application that accesses the system.
Create roles that define the exact access a set of users needs. Follow a principle of least privilege. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application.
See Role-Based Access Control and Manage Users and Roles.
Encrypt Communication
Configure MongoDB to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt communication between mongod and mongos components of a MongoDB deployment as well as between all applications and MongoDB.
Starting in version 4.0, MongoDB uses the native TLS/SSL OS libraries:
| Windows | Secure Channel (Schannel) |
| Linux/BSD | OpenSSL |
| macOS | Secure Transport |
NOTE
Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
See Configure mongod and mongos for TLS/SSL.
Encrypt and Protect Data
Starting with MongoDB Enterprise 3.2, the WiredTiger storage engine’s native Encryption at Rest can be configured to encrypt data in the storage layer.
If you are not using WiredTiger’s encryption at rest, MongoDB data should be encrypted on each host using file-system, device, or physical encryption. Protect MongoDB data using file-system permissions. MongoDB data includes data files, configuration files, auditing logs, and key files.
Limit Network Exposure
Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.
NOTE
Starting with MongoDB 3.6, MongoDB binaries, mongod and mongos, bind to localhost by default. From MongoDB versions 2.6 to 3.4, only the binaries from the official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives) and DEB (Debian, Ubuntu, and derivatives) packages would bind to localhost by default. To learn more about this change, see Localhost Binding Compatibility Changes.
See Security Hardening and the bindIp setting.
Audit System Activity
Track access and changes to database configurations and data. MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to verify proper controls.
See Auditing and Configure Auditing.
Run MongoDB with a Dedicated User
Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.
See Install MongoDB for more information on running MongoDB.
Run MongoDB with Secure Configuration Options
MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, group, and$where. If you do not use these operations, disable server-side scripting by using the --noscripting option on the command line.
Use only the MongoDB wire protocol on production deployments.
Keep input validation enabled. MongoDB enables input validation by default through the wireObjectChecksetting. This ensures that all documents stored by the mongod instance are valid BSON.
See Security Hardening for more information on hardening MongoDB configuration.
Request a Security Technical Implementation Guide (where applicable)
The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense. MongoDB Inc. provides its STIG, upon request, for situations where it is required. Please request a copy for more information.
Consider Security Standards Compliance
For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security Reference Architecture to learn more about how you can use the key security capabilities to build compliant application infrastructure.
