Back to Curriculum

MongoDB Security

📚 Lesson 10 of 15 ⏱️ 35 min

MongoDB Security

35 min

MongoDB security encompasses multiple layers including authentication (verifying user identity), authorization (controlling access to resources), encryption (protecting data), and network security (controlling network access). Implementing comprehensive security is essential for protecting sensitive data and ensuring compliance with security requirements. Understanding MongoDB security features enables you to build secure applications.

Authentication verifies user identity. MongoDB supports multiple authentication mechanisms including SCRAM-SHA-256 (default password-based authentication), x.509 certificates, LDAP, and Kerberos. Users are created with usernames and passwords, and authentication is required to access the database. Understanding authentication mechanisms enables you to choose appropriate security for your environment.

Authorization controls what authenticated users can do. MongoDB uses role-based access control (RBAC), where users are assigned roles that grant specific privileges. Built-in roles include read, readWrite, dbAdmin, and userAdmin. Custom roles can be created for specific privilege requirements. Understanding RBAC enables fine-grained access control tailored to your application needs.

Network security controls who can connect to MongoDB. MongoDB can be configured to bind to specific IP addresses, use firewalls to restrict access, and use TLS/SSL for encrypted connections. Network security prevents unauthorized access attempts. Understanding network security enables you to protect MongoDB from network-based attacks.

Encryption protects data in transit (TLS/SSL) and at rest (encryption at rest). TLS/SSL encrypts data as it travels over the network, preventing eavesdropping. Encryption at rest encrypts data stored on disk, protecting data if storage is compromised. Understanding encryption enables you to protect sensitive data throughout its lifecycle.

Additional security features include auditing (logging security events), field-level encryption (encrypting specific fields), and security best practices (regular updates, strong passwords, least privilege). Understanding and implementing these features creates a defense-in-depth security posture that protects MongoDB from various threats.

Key Concepts

  • MongoDB security includes authentication, authorization, encryption, and network security.
  • Authentication verifies user identity using various mechanisms.
  • Role-based access control (RBAC) provides fine-grained permissions.
  • Network security and encryption protect data in transit and at rest.
  • Security requires multiple layers for defense-in-depth.

Learning Objectives

Master

  • Implementing authentication and creating users
  • Configuring role-based access control
  • Setting up network security and encryption
  • Understanding MongoDB security best practices

Develop

  • Understanding database security principles
  • Designing secure MongoDB deployments
  • Implementing comprehensive security measures

Tips

  • Create users with roles: db.createUser({ user: 'name', pwd: 'password', roles: ['readWrite'] }).
  • Use strong passwords and enable authentication: security.authorization: enabled.
  • Enable TLS/SSL for encrypted connections: net.ssl.mode: requireSSL.
  • Use firewalls and bind to specific IPs: net.bindIp: '127.0.0.1'.

Common Pitfalls

  • Not enabling authentication, allowing unauthorized access.
  • Using default or weak passwords, compromising security.
  • Not using encryption, exposing data to network attacks.
  • Granting excessive privileges, violating least privilege principle.

Summary

  • MongoDB security requires multiple layers of protection.
  • Authentication and authorization control access to data.
  • Encryption protects data in transit and at rest.
  • Following security best practices ensures comprehensive protection.

Exercise

Implement MongoDB security measures.

// Create admin user
use admin
db.createUser({
  user: "adminUser",
  pwd: "securePassword123",
  roles: ["userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase"]
})

// Create application user
use myApp
db.createUser({
  user: "appUser",
  pwd: "appPassword123",
  roles: [
    { role: "readWrite", db: "myApp" },
    { role: "read", db: "reports" }
  ]
})

// Create custom role
db.createRole({
  role: "dataAnalyst",
  privileges: [
    {
      resource: { db: "myApp", collection: "sales" },
      actions: ["find", "aggregate"]
    },
    {
      resource: { db: "myApp", collection: "products" },
      actions: ["find"]
    }
  ],
  roles: []
})

// Assign role to user
db.grantRolesToUser("appUser", ["dataAnalyst"])

// Enable authentication
// In mongod.conf:
security:
  authorization: enabled

// Connect with authentication
mongosh --username appUser --password appPassword123 --authenticationDatabase myApp

// Use SSL/TLS
// In mongod.conf:
net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /path/to/mongodb.pem
    CAFile: /path/to/ca.pem

// Connect with SSL
mongosh --ssl --sslCAFile /path/to/ca.pem --host mongodb.example.com

// Field-level encryption
// Install MongoDB Enterprise and configure encryption
// Example with client-side field level encryption:
const { ClientEncryption } = require("mongodb-client-encryption")

const clientEncryption = new ClientEncryption(client, {
  keyVaultNamespace: "encryption.__keyVault",
  kmsProviders: {
    local: {
      key: masterKey
    }
  }
})

// Encrypt sensitive field
const encryptedField = await clientEncryption.encrypt("123-45-6789", {
  algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic",
  keyId: keyId
})

// Insert encrypted document
db.users.insertOne({
  name: "John Doe",
  ssn: encryptedField
})

Exercise Tips

  • Create users with least privilege: grant only necessary roles.
  • Use custom roles for specific access requirements.
  • Enable authentication in production: security.authorization: enabled.
  • Use TLS/SSL for encrypted connections in production environments.

Code Editor

Output