Amazon DocumentDB Operational Maturity

Comparing Backup Options

Amazon’s DocumentDB backup functionality is similar to what is available with RDS services. Users can configure a retention period of up to 35 days, with Point in Time (PiT) restores at a per-second granularity, and have the ability to specify a timeframe for the backup to start. Scheduled snapshots are incremental and the cost of backup, like all other RDS services, is included in the price of the cluster up until the current database storage size. For example, if you have a cluster with a data size of 1TB, you have 1TB of backup included. Even with incremental snapshots, this means you get 1 snapshot for free and you have to pay for the other 34.

DocumentDB also offers on-demand snapshots that are manually triggered either via the AWS Console or the API. Snapshots take a full copy of the database – they are not incremental, and each counts against the backup storage quota. On-demand snapshots also do not work with PiT restores.

Snapshots can only be restored against a new cluster – you cannot restore your backup to an existing cluster.

How MongoDB Atlas is Different

With MongoDB Atlas, the fully managed MongoDB service, users have much more flexibility in how they schedule backups. With Continuous Backup, the user can select different retention periods for hourly, daily, weekly, and monthly backups.

Like DocumentDB, MongoDB Atlas snapshots are incremental, and support PiT restores with continuous backup, allowing users to reduce cost and improve their Recovery Time Objective. Unlike DocumentDB, MongoDB Atlas On-Demand snapshots are also incremental.

When users restore a backup in Atlas, they can apply it to an existing cluster, avoiding the time and cost needed to provision a new cluster.

Comparing Security

The current set of security protections in DocumentDB are limited. Key gaps include the following:

  • All users are created with the dbAdminAnyDatabase, readWriteAnyDatabase, and clusterAdmin roles, meaning that they have full access to all databases and collections within a cluster. DocumentDB does not currently support roles or authenticationRestrictions when creating a user.

  • There is no support for LDAP or Active Directory authentication and authorization

  • Encryption at-rest can only be enabled at cluster creation time. If you create your cluster unencrypted and then want to encrypt data later, you must dump the database and then reload into a newly created cluster

  • DocumentDB only supports encryption with the AWS Key Management Service – there is no option for customers to bring their preferred KMS.

  • While DocumentDB supports event auditing, it only captures DDL operations and not DML operations, so administrators only get a partial view of database activity

MongoDB Atlas offers granular access control, full auditing, and is always fully encrypted, with integrations to AWS KMS or a customer’s own key management service.

Further enhancing data protection, with MongoDB client-side field level encryption you can selectively encrypt individual document fields, each optionally secured with its own key and decrypted seamlessly on the client. Our implementation of Field Level Encryption is totally separated from the database, making it transparent to the server, and instead handled exclusively within the MongoDB drivers on the client. All encrypted fields on the server – stored in-memory, in system logs, at-rest, and in backups – are rendered as ciphertext, making them unreadable to any party who does not have client access along with the keys necessary to decrypt the data. This is a different and more comprehensive approach than at-rest encryption offered by DocumentDB. As DocumentDB handles encryption server-side, data is still accessible to administrators who have access to the database instance itself, even if they have no client access privileges.

Comparing Monitoring and Diagnostics

Effective tooling that exposes telemetry from database operations is essential to both optimizing database performance and proactively detecting emerging issues before they escalate into costly application outages. Without this telemetry, your teams can be flying blind.

DocumentDB exposes fewer than 30 metrics, compared to MongoDB Atlas with over 100 metrics. Atlas provides granular insights into individual MongoDB processes, replica sets, sharded deployments, and complete clusters, and through the Performance Advisor, provides automated and proactive guidance on how to optimize query access patterns.

Fully managed MongoDB

Spin up a free cluster in minutes

Already have an account? Sign in.

Included with your free cloud database:

  • 512 MB of Storage
  • Shared RAM
  • Highly available replica sets, end-to-end encryption, automated patches, REST API

Additionally, get access to the following when you launch a dedicated cluster:

  • 10 GB or more of storage
  • Dedicated RAM
  • Performance optimization tools
  • Backups & point-in-time recovery
  • Enterprise security features including encryption key management, LDAP integration, and granular database auditing
  • Global Clusters