Security Features and Setup

Network and Firewall Requirements

You must ensure that your application can reach your MongoDB Atlas environment. To ensure connectivity with Atlas, you must whitelist the inbound network access from your application environment to Atlas by either whitelisting public IP addresses, or using VPC / VNet peering to whitelist private IP addresses.

See also

To learn more about IP whitelisting, see Whitelist.

If your firewall blocks outbound network connections, you must also open outbound access from your application environment to Atlas. You must configure your firewall to allow your applications to make outbound connections to ports 27015 to 27017 to TCP traffic on Atlas hosts. This grants your applications access to databases stored on Atlas.

Note

By default, MongoDB Atlas clusters do not need to be able to initiate connections to your application environments. If you wish to enable Atlas clusters with LDAP authentication and authorization, you must allow network access from Atlas clusters directly to your secure LDAP. You can allow access to your LDAP by using public or private IPs as long as a public DNS hostname points to an IP that the Atlas clusters can access.

If you are not using VPC / VNet peering and plan to connect to Atlas using public IP addresses, see the following pages for additional information:

• Can I specify my own VPC for my MongoDB Atlas project?
• Do Atlas clusters’ public IPs ever change?

Preconfigured Security Features

The following security features are part of the Atlas product:

TLS/SSL

Atlas uses TLS/SSL to encrypt the connections to your databases.

Virtual Private Cloud

Important

If this is the first M10+ dedicated paid cluster for the selected region or regions and you plan on creating one or more VPC peering connections, please review the documentation on VPC peering connections before continuing.

Required Security Features

You must configure the following security features:

Whitelist

Atlas only allows client connections to the cluster from entries in the project’s whitelist. To connect, you must add an entry to the whitelist. To set up the whitelist for the project, see Configure Whitelist Entries.

For Atlas clusters deployed on Google Cloud Platform (GCP) or Microsoft Azure, add the IP addresses of your GCP or Azure services to Atlas project IP whitelist to grant those services access to the cluster.

User Authentication/Authorization

Atlas requires clients to authenticate to access the clusters, i.e. the MongoDB databases. You must create database users to access the database. To set up database users to your clusters, see Configure Database Users.

To access clusters in a project, users must belong to that project. Users can belong to multiple projects. See Atlas User Access.

Optional Security Features

You may configure the following security features:

Custom Roles

Atlas supports creating custom roles in cases where the built-in Atlas database user privileges cannot describe your desired set of privileges.

VPC Peering

Atlas supports VPC peering with other AWS, Azure, or GCP VPCs. To use VPC Peering, see Set up a Network Peering Connection.

Private Endpoints

Atlas supports private endpoints on AWS using the AWS PrivateLink feature. To use private endpoints, see Set up a Private Endpoint.

Two Factor Authentication

Atlas supports Two Factor Authentication (2FA) to help users control access to their Atlas accounts. To use 2FA, see Two Factor Authentication.

User Authentication/Authorization with LDAP

Atlas supports performing user authentication and authorization with LDAP. To use LDAP, see Set up User Authentication and Authorization with LDAP.

Unified AWS Access

Some Atlas features, including Data Lakes and Encryption at Rest using Customer Key Management, use AWS IAM roles for authentication.

To set up an AWS IAM role for Atlas to use, see Set Up Unified AWS Access.

Encryption at Rest using your Key Management

Atlas supports using AWS KMS, Azure Key Vault, and GCP to encrypt storage engines and cloud provider backups. To use encryption at rest, see Encryption at Rest using Customer Key Management.

Client-Side Field Level Encryption

Atlas supports client-side field level encryption, including automatic encryption of fields.

Note

All Atlas users are entitled to use MongoDB’s automatic client-side field level encryption features.

Prerequisites

Minimum Driver and mongo Version

The following support client-side field level encryption:

• Official MongoDB drivers compatible with MongoDB Server 4.2 and later, or
• mongo shell 4.2 and later.

For more information on official MongoDB drivers, see MongoDB Drivers.

Minimum Server Version

Drivers and the mongo shell can only use client-side field level encryption if connected to a Atlas cluster running MongoDB 4.2 or later.

Note

MongoDB Compass, the Data Explorer, and the MongoDB Shell (mongosh) do not support decrypting client-side field level-encrypted fields.

See also

• Client-Side Field Level Encryption
• Use-Case Guide for Client-Side Field Level Encryption

Database Auditing

Atlas supports auditing all system event actions. To use database auditing, see Set up Database Auditing.

Restrict MongoDB Support Access to Atlas Backend Infrastructure

Organization owners can restrict MongoDB Production Support Employees from accessing Atlas backend infrastructure for any Atlas cluster in their organization. Organization owners may grant a 24 hour bypass to the access restriction at the Atlas cluster level.

Important

Restricting infrastructure access for MongoDB Production Support Employees may increase support issue response and resolution time and negatively impact cluster availability.

To enable this option, see Restrict MongoDB Support Access to Atlas Backend Infrastructure.

Access Tracking

Atlas surfaces authentication logs directly in the UI so that you can easily review successful and unsuccesful authentication attempts made against your clusters. To view your database access history, see View Database Access History.

• View Database Access History
• Configure Whitelist Entries
• Configure Database Users
• Configure Custom Roles
• Set up a Network Peering Connection
• Set up a Private Endpoint
• Set up Two Factor Authentication
• Set Up Unified AWS Access
• Set up User Authentication and Authorization with LDAP
• Configure Federated Authentication
• Encryption at Rest using Customer Key Management
  • Customer Key Management with AWS KMS
    • Rotate your AWS Customer Master Key
  • Customer Key Management with Azure Key Vault
    • Rotate your Azure Key Identifier
  • Customer Key Management with Google Cloud KMS
    • Rotate your GCP Key Version Resource ID
• Set up Database Auditing
  • Configure a Custom Auditing Filter
• Set up Self-Managed X.509 Authentication
• Restrict MongoDB Support Access to Atlas Backend Infrastructure

←   Configure Maintenance Window View Database Access History  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.