www.mongodb.com
Open in
urlscan Pro
2600:9000:2490:9e00:7:7859:3840:93a1
Public Scan
URL:
https://www.mongodb.com/docs/manual/administration/security-checklist/
Submission: On August 19 via api from US — Scanned from DE
Submission: On August 19 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://mongodb.com/docs/search/
<form role="search" method="GET" action="https://mongodb.com/docs/search/" class="css-dc0gsv">
<div class="css-1q5aj3">
<div class="css-36i4c2"><input type="text" placeholder="Search all documentation..." class="css-etrcff" value=""></div>
<div class="css-1hc92ka">
<div class="css-aef77t"><button role="button" type="button" class="css-14k7wrz"><span data-testid="selected-value" class="css-6k4l2y">All Documentation</span>
<div class="css-109dpaz"><svg data-testid="icon" width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" class="css-1yzkxhp">
<path d="M1.06689 0.799988L8.00023 7.73332L14.9336 0.799988" stroke-linecap="round" stroke-linejoin="round" class="css-1tlq8q9"></path>
</svg></div>
</button>
<div class="css-hn9qqo">
<ul data-testid="options" role="listbox" class="css-ac9zo2">
<li role="option" tabindex="0" class="css-11dtrvq">General Information</li>
<li role="option" tabindex="0" class="css-11dtrvq">All Documentation</li>
<li role="option" tabindex="0" class="css-11dtrvq">Realm Documentation</li>
<li role="option" tabindex="0" class="css-11dtrvq">Developer Articles & Topics</li>
<li role="option" tabindex="0" class="css-11dtrvq">Community Forums</li>
<li role="option" tabindex="0" class="css-11dtrvq">Blog</li>
<li role="option" tabindex="0" class="css-11dtrvq">University</li>
</ul>
</div>
</div><input type="hidden" id="q" name="q" value="">
<div class="css-1myrko"><button type="submit" tabindex="0" class=" css-13l1z36" data-track="true"><img alt="search icon" src="https://webimages.mongodb.com/_com_assets/cms/krc3hljsdwdfd2w5d-web-actions-search.svg?auto=format%252Ccompress"
class="css-r9fohf"></button></div>
</div>
</div>
</form>GET https://mongodb.com/docs/search/
<form role="search" method="GET" action="https://mongodb.com/docs/search/" class="css-11a71ad">
<div class="css-7590ag"><input type="text" placeholder="Search all documentation..." class="css-xrkki1" value=""></div>
<div class="css-itzitu"><select class="select-overlay css-15v6p12" id="filter-select">
<option value="General Information">General Information</option>
<option value="All Documentation" selected="">All Documentation</option>
<option value="Realm Documentation">Realm Documentation</option>
<option value="Developer Articles & Topics">Developer Articles & Topics</option>
<option value="Community Forums">Community Forums</option>
<option value="Blog">Blog</option>
<option value="University">University</option>
</select><input type="hidden" id="q" name="q" value="">
<div class="css-1myrko"><button type="submit" tabindex="0" class=" css-31biy7" data-track="true">Search</button></div>
</div>
</form>Text Content
All Documentation
* General Information
* All Documentation
* Realm Documentation
* Developer Articles & Topics
* Community Forums
* Blog
* University
* Products
Atlas→
Developer data platform
--------------------------------------------------------------------------------
Enterprise Advanced→
Enterprise software and support
--------------------------------------------------------------------------------
Community Edition→
Free software used by millions
--------------------------------------------------------------------------------
* Database→
* Search→
* Vector Search→
* Stream Processing→
* Data Lake (Preview)→
* Charts→
* Device Sync→
* APIs, Triggers, Functions→
* Enterprise Server→
* Ops Manager→
* Enterprise Kubernetes Operator→
* Community Server→
* Cloud Manager→
* Community Kubernetes Operator→
Tools→
Build faster
--------------------------------------------------------------------------------
* Compass→
* Shell→
* VS Code Plugin→
* Atlas CLI→
* Database Connectors→
* Cluster-to-Cluster Sync→
* Mongoose ODM Support→
* Relational Migrator→
* Solutions
By Industry
--------------------------------------------------------------------------------
By Use Case
--------------------------------------------------------------------------------
* Financial Services→
* Telecom→
* Healthcare→
* Retail→
* Public Sector→
* Manufacturing→
* All Industries→
* Analytics→
* Artificial Intelligence→
* Internet of Things→
* Mobile→
* Payments→
* Serverless Development→
* All Use Cases→
Developer Data Platform
Innovate fast at scale with a unified developer experience
Learn More
--------------------------------------------------------------------------------
White Papers & Presentations
Webinars, white papers, datasheets and more
View All
* Resources
Documentation→
--------------------------------------------------------------------------------
* Atlas→
* Server→
* Drivers→
* Develop Applications→
* Launch and Manage MongoDB→
* View and Analyze→
* Start with Guides→
Community
--------------------------------------------------------------------------------
Education
--------------------------------------------------------------------------------
* Developer Center→
* Events & Webinars→
* Forums→
* Champions→
* Find a User Group→
* University→
* Certification→
* Academia→
* Intro to MongoDB Course→
* Browse All Courses→
* Company
About
--------------------------------------------------------------------------------
Services
--------------------------------------------------------------------------------
Partnerships
--------------------------------------------------------------------------------
* Who We Are→
* Customer Stories→
* Blog→
* Careers→
* Pressroom→
* Leadership→
* Investors→
* MongoDB Ventures→
* Consulting→
* Training→
* Customer Support→
* Customer Success→
* Partner Ecosystem→
* MongoDB for Startups→
* Pricing
Sign In
Try Free
General InformationAll DocumentationRealm DocumentationDeveloper Articles &
TopicsCommunity ForumsBlogUniversity
Search
Docs Menu
MongoDB Documentation
--------------------------------------------------------------------------------
Back to Develop Applications
* MongoDB Manual
7.0 (current)
* Introduction
* Installation
* MongoDB Shell (mongosh)
* MongoDB CRUD Operations
* Aggregation Operations
* Data Models
* Indexes
* Security
* Security Checklist
* Enable Access Control
* Authentication
* Role-Based Access Control
* Encryption
* Auditing
* Network and Configuration Hardening
* Implement Field Level Redaction
* Security Reference
* Create a Vulnerability Report
* Appendix
* Replication
* Sharding
* Change Streams
* Time Series
* Transactions
* Administration
* Storage
* Frequently Asked Questions
* Reference
* Release Notes
* Technical Support
*
Docs Home → Develop Applications → MongoDB Manual
SECURITY CHECKLIST
This document provides a list of security measures that you should implement to
protect your MongoDB installation. The list is not meant to be exhaustive.
PRE-PRODUCTION CHECKLIST/CONSIDERATIONS
➤ ENABLE ACCESS CONTROL AND ENFORCE AUTHENTICATION
* Enable access control and specify an authentication mechanism.
MongoDB Community supports a number of authentication mechanisms that clients
can use to verify their identity:
* SCRAM (Default)
* x.509 Certificate Authentication.
In addition to the preceding mechanisms, MongoDB Atlas and MongoDB Enterprise
support the following mechanisms:
* LDAP proxy authentication, and
* Kerberos authentication.
These mechanisms allow MongoDB to integrate into your existing authentication
system.
TIP
SEE ALSO:
* Authentication
* Enable Access Control
➤ CONFIGURE ROLE-BASED ACCESS CONTROL
* Create a user administrator first, then create additional users. Create a
unique MongoDB user for each person/application that accesses the system.
* Follow the principle of least privilege. Create roles that define the exact
access rights required by a set of users. Then create users and assign them
only the roles they need to perform their operations. A user can be a person
or a client application.
NOTE
A user can have privileges across different databases. If a user requires
privileges on multiple databases, create a single user with roles that grant
applicable database privileges instead of creating the user multiple times in
different databases.
TIP
SEE ALSO:
* Role-Based Access Control
* Manage Users and Roles
➤ ENCRYPT COMMUNICATION (TLS/SSL)
* Configure MongoDB to use TLS/SSL for all incoming and outgoing connections.
Use TLS/SSL to encrypt communication between mongod and mongos components of
a MongoDB deployment as well as between all applications and MongoDB.
MongoDB uses the native TLS/SSL OS libraries:
Platform
TLS/SSL Library
Windows
Secure Channel (Schannel)
Linux/BSD
OpenSSL
macOS
Secure Transport
TIP
SEE ALSO:
Configure mongod and mongos for TLS/SSL.
➤ ENCRYPT AND PROTECT DATA
* You can encrypt data in the storage layer with the WiredTiger storage
engine's native Encryption at Rest.
* If you are not using WiredTiger's encryption at rest, MongoDB data should be
encrypted on each host using file-system, device, or physical encryption (for
example dm-crypt). You should also protect MongoDB data using file-system
permissions. MongoDB data includes data files, configuration files, auditing
logs, and key files.
* You can use Queryable Encryption or Client-Side Field Level Encryption to
encrypt fields in documents application-side prior to transmitting data over
the wire to the server.
* Collect logs to a central log store. These logs contain database
authentication attempts including source IP addresses.
➤ LIMIT NETWORK EXPOSURE
* Ensure that MongoDB runs in a trusted network environment and configure
firewall or security groups to control inbound and outbound traffic for your
MongoDB instances.
* Disable direct SSH root access.
* Allow only trusted clients to access the network interfaces and ports on
which MongoDB instances are available.
TIP
SEE ALSO:
* Network and Configuration Hardening
* the net.bindIp configuration setting
* the security.clusterIpSourceAllowlist configuration setting
* the authenticationRestrictions field to the db.createUser() command to
specify a per-user IP allow list.
➤ AUDIT SYSTEM ACTIVITY
* Track access and changes to database configurations and data. MongoDB
Enterprise includes a system auditing facility that can record system events
(including user operations and connection events) on a MongoDB instance.
These audit records permit forensic analysis and allow administrators to
exercise proper controls. You can set up filters to record only specific
events, such as authentication events.
TIP
SEE ALSO:
* Auditing
* Configure Auditing
➤ RUN MONGODB WITH A DEDICATED USER
* Run MongoDB processes with a dedicated operating system user account. Ensure
that the account has permissions to access data but no unnecessary
permissions.
TIP
SEE ALSO:
Install MongoDB
➤ RUN MONGODB WITH SECURE CONFIGURATION OPTIONS
* MongoDB supports the execution of JavaScript code for certain server-side
operations: mapReduce, $where, $accumulator, and $function. If you do not use
these operations, disable server-side scripting by using the --noscripting
option.
* Keep input validation enabled. MongoDB enables input validation by default
through the net.wireObjectCheck setting. This ensures that all documents
stored by the mongod instance are valid BSON.
➤ REQUEST A SECURITY TECHNICAL IMPLEMENTATION GUIDE (WHERE APPLICABLE)
* The Security Technical Implementation Guide (STIG) contains security
guidelines for deployments within the United States Department of Defense.
MongoDB Inc. provides its STIG, upon request.
➤ CONSIDER SECURITY STANDARDS COMPLIANCE
* For applications requiring HIPAA or PCI-DSS compliance, please refer to the
MongoDB Security Reference Architecture to learn more about how you can use
MongoDB's key security capabilities to build compliant application
infrastructure.
ANTIVIRUS AND ENDPOINT DETECTION AND RESPONSE SCANNING
If you use an antivirus (AV) scanner or an endpoint detection and response (EDR)
scanner, configure your scanner to exclude the database storage path and the
database log path from the scan.
The data files in the database storage path are compressed. Additionally, if you
use the encrypted storage engine, the data files are also encrypted. The I/O and
CPU costs to scan these files may significantly decrease performance without
providing any security benefits.
If you don't exclude the directories in your database storage path and database
log path, the scanner could quarantine or delete important files. Missing or
quarantined files can corrupt your database and crash your MongoDB instance.
PERIODIC/ONGOING PRODUCTION CHECKS
* Periodically check for MongoDB Product CVE and upgrade your products .
* Consult the MongoDB end of life dates and upgrade your MongoDB installation
as needed. In general, try to stay on the latest version.
* Ensure that your information security management system policies and
procedures extend to your MongoDB installation, including performing the
following:
* Periodically apply patches to your machine.
* Review policy/procedure changes, especially changes to your network rules
to prevent inadvertent MongoDB exposure to the Internet.
* Review MongoDB database users and periodically rotate them.
REPORT SUSPECTED SECURITY BUGS
If you suspect that you have identified a security bug in any MongoDB products,
please report the issue through the MongoDB Bug Submission Form.
← SecurityEnable Access Control →
Share Feedback
© 2023 MongoDB, Inc.
About
* Careers
* Investor Relations
* Legal Notices
* Privacy Notices
* Security Information
* Trust Center
Support
* Contact Us
* Customer Portal
* Atlas Status
* Paid Support
Social
* Github
* Stack Overflow
* LinkedIn
* Youtube
* Twitter
* Twitch
* Facebook
© 2023 MongoDB, Inc.
PRIVACY PREFERENCE CENTER
"Cookies" are small files that enable us to store information while you visit
one of our websites. When you visit any website, it may store or retrieve
information on your browser, mostly in the form of cookies. This information
might be about you, your preferences or your device and is mostly used to make
the site work as you expect it to. The information does not usually directly
identify you, but it can give you a more personalized web experience. Because we
respect your right to privacy, you can choose not to allow some types of
cookies, but essential cookies are always enabled. Click on the different
category headings to find out more and change our default settings. However,
blocking some types of cookies may impact your experience of the site and the
services we are able to offer.
MongoDB Privacy Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
SOCIAL MEDIA COOKIES
Social Media Cookies
These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit. If you do not allow these cookies you may not be able
to use or see these sharing tools.
BACK BUTTON PERFORMANCE COOKIES
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
By clicking "Accept All Cookies", you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. You can enable and disable optional cookies as desired. Read
our Privacy Policy. Read our Privacy Policy
Manage Cookies Accept All Cookies