← Back to MongoDB Mastery
Advanced20 min read

Security

Secure MongoDB with authentication, authorization, encryption, and network controls.

Authentication

Enable authentication before exposing MongoDB to any network. SCRAM-SHA-256 is the default password mechanism. Integrate LDAP, Kerberos, or x.509 certificates for enterprise identity.

Never run production databases without authentication, including containers bound to localhost-only unless truly isolated.

// Require auth in mongod.conf
security:
  authorization: enabled

Authorization

Role-based access control limits each user to necessary operations. Application services should use distinct credentials per service with collection-level custom roles where possible.

Review privilege escalation paths—users with userAdmin can grant themselves additional roles. Separate DBA accounts from application accounts.

  • Disable unused legacy authentication mechanisms
  • Use $external database for LDAP-authenticated users
  • Atlas integrates with cloud IAM and VPC peering for network isolation

Encryption at Rest and in Transit

Enable TLS for all client connections and inter-node replication traffic. Use certificates from a trusted CA or Atlas-managed certificates.

Encryption at rest protects data on disk via WiredTiger encryption or volume-level encryption (LUKS, cloud KMS). Atlas encrypts at rest by default; self-hosted requires explicit configuration.

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/mongodb/server.pem
    CAFile: /etc/mongodb/ca.pem

Network Security

Bind mongod to private interfaces only; use firewall rules or security groups to allow just application subnets. Avoid exposing MongoDB directly to the public internet—use VPN, bastion, or private endpoints.

Atlas IP access lists and VPC peering restrict network paths. Audit open ports with regular scans.

  • Disable HTTP REST interface and deprecated HTTP interfaces if present
  • Use separate networks for analytics replicas with read-only users
  • Implement intrusion detection on database host logs

Security Hardening Checklist

Keep MongoDB and OS packages patched. Disable server-side JavaScript execution if not required (security.javascriptEnabled). Enable field-level encryption for highly sensitive attributes like PII.

Conduct periodic security assessments including credential rotation drills and penetration testing of connection strings stored in CI/CD secrets.

// Client-side field level encryption (CSFLE) concept
// Encrypt SSN before insert; decrypt only in authorized services

Get In Touch

Ready to discuss your next project? Drop me a message.