OPTIONS

Security Checklist

This documents provides a list of security measures that you should implement to protect your MongoDB installation.

Require Authentication

Enable MongoDB authentication and specify the authentication mechanism. You can use the MongoDB authentication mechanism or an existing external framework. Authentication requires that all clients and servers provide valid credentials before they can connect to the system. In clustered deployments, enable authentication for each MongoDB server.

See Authentication, Enable Client Access Control, and Enable Authentication in a Sharded Cluster.

Configure Role-Based Access Control

Create roles that define the exact access a set of users needs. Follow a principle of least privilege. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application.

Create a user administrator first, then create additional users. Create a unique MongoDB user for each person and application that accesses the system.

See Authorization, Create a Role, Create a User Administrator, and Add a User to a Database.

Encrypt Communication

Configure MongoDB to use SSL for all incoming and outgoing connections. Use SSL to encrypt communication between mongod and mongos components of a MongoDB client, as well as between all applications and MongoDB.

See Configure mongod and mongos for SSL.

Limit Network Exposure

Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.

See the bindIp setting, and see Configure Linux iptables Firewall for MongoDB and Configure Windows netsh Firewall for MongoDB.

Audit System Activity

Track access and changes to database configurations and data. MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to verify proper controls.

See Auditing and Configure System Events Auditing.

Encrypt and Protect Data

Encrypt MongoDB data on each host using file-system, device, or physical encryption. Protect MongoDB data using file-system permissions. MongoDB data includes data files, configuration files, auditing logs, and key files.

Run MongoDB with a Dedicated User

Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.

See Install MongoDB for more information on running MongoDB.

Run MongoDB with Secure Configuration Options

MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, group, eval, and $where. If you do not use these operations, disable server-side scripting by using the --noscripting option on the command line.

Use only the MongoDB wire protocol on production deployments. Do not enable the following, all of which enable the web server interface: enabled, net.http.JSONPEnabled, and net.http.RESTInterfaceEnabled. Leave these disabled, unless required for backwards compatibility.

Keep input validation enabled. MongoDB enables input validation by default through the wireObjectCheck setting. This ensures that all documents stored by the mongod instance are valid BSON.