MongoDB Security Basics For Your Deployments in AWS

MongoDB
July 13, 2016
#Cloud

Jay Gordon is a Technical Account Manager with MongoDB and is available via our chat to discuss Cloud Manager at cloud.mongodb.com

Securing your MongoDB deployment can be done quite simply thanks to using AWS and Cloud Manager. Let’s discuss the process of determining if your AWS deployment has an enhanced security configuration to reduce exposure. If it’s not, we’ll provide you with some tips to properly secure it and ensure your data is not available to the world.

We will start with your Cloud Manager deployment in AWS Cloud. The most important part prior to deploying MongoDB is properly configuring your security group.

Security Groups are AWS virtual firewalls that allow you to isolate network environments similarly to a Software or Hardware firewall on your EC2 instances.

Our documentation page for Firewall Configuration has a list of ports and IPs that need access.

Let’s highlight some key points you should hit to improve your network security posture:

Outbound Firewall Rules

We must allow all outgoing HTTPS (port 443) traffic to pass in order for your Cloud Manager agents to function. Without this, the agents will not be able to communicate back to Cloud Manager. Typically, outbound traffic is not filtered by default. All security groups come with a default 0.0.0.0/0 rule for all outgoing traffic.

https://webassets.mongodb.com/_com_assets/blog/tblr/67.media.tumblr.com--ffe802ddbe0a16810a4bfd1a717a8aeb--tumblr_oa9ootRTIu1sdaytmo1_1280.png

Prepping your Inbound Firewall Rules

This is the part where things can get complicated. Without properly configuring this, we will not be permitted to either access, configure and secure our systems. An empty security group provides you no real access.

Before you go to production, you should consider what other systems and people aside from MongoDB Cloud Manager are going to require access. This could be as simple as determining IP addresses of your office VPN, local computer or application servers. By limiting access to your MongoDB deployment to trusted connections only, you reduce your attack surface that can be exploited by remote attackers.

Important IPs for Cloud Manager

Please note, these IPs can change without notice, so always check our documentation on provisioning and restores for the latest addresses.

Auto-Provisioning

If you use Cloud Manager provisioning, you must grant SSH access to the following ranges at minimum:

  • 4.71.186.128/25
  • 4.35.16.128/25

Backup SCP Restores

If you use SCP as the delivery method when restoring a snapshot, you must grant SSH access to the following ranges at minimum:

  • 4.71.186.128/25
  • 4.35.16.128/25

TCP Ports to Consider

All MongoDB processes in a deployment must be accessible to all Cloud Manager agents managing or monitoring processes in that deployment. Therefore, all MongoDB ports must be open to every server that hosts an Automation, Monitoring or Backup Agent. For example, if you are running MongoDB processes on 27000,27017 and 27020, then those three ports must be open from all servers that are hosting an Agent.

https://webassets.mongodb.com/_com_assets/blog/tblr/67.media.tumblr.com--db6ac563a6e49a3b81d7e4e9214127b5--tumblr_oa9ootRTIu1sdaytmo3_1280.png

This example is a minimum ingress ruleset for AWS provisioning and SCP restores. We have also configured our internal network to permit the 27000 - 28000 ports to talk to each other. You can assign multiple security groups to your instances if you’d like to create a separate Security Group to handle your authentication for any external access to the MongoDB systems via ssh or mongo shell.

Alerts

MongoDB Cloud Manager comes with a monitoring and alerting system. Part of this alerting set will notify you if your MongoDB deployment is exposed to the internet:

https://webassets.mongodb.com/_com_assets/blog/tblr/66.media.tumblr.com--600f8e1ecf88f3b98ce94208d2b416ff--tumblr_oa9ootRTIu1sdaytmo4_1280.png

In the case of a situation like this, Cloud Manager will notify you via whichever integration, email or SMS, you’ve selected. This is just another benefit of using Cloud Manager, the idea that your total overhead can be reduced by allowing our software to replace the typical requirements around monitoring and alerting. If your organization already uses some other form of alerting, you can leverage our Public API which can allow you to hook these alerts into any system you may already be using.

User Authentication and SSL

Cloud Manager has many other security features built in such as SSL and user authentication which are extremely valuable. Our Automation Agent has the ability to enable these features for you with a few clicks, saving you time and operational overhead.

Authentication

Once you enable user authentication, we begin the process of automatically managing passwords for your application role users for backups and system management on your behalf. You also have the ability to use roles to create users with different sets of permissions in logical groups. Authentication methods available include SCRAM-SHA-1, Kerberos, LDAP and X.509 client certificate.

SSL

Some applications can support the ability to connect to a running MongoDB deployment that utilizes SSL to encrypt data in-transit between the application and the database. Tools must provide users the ability to connect with or without an SSL certificate. Users are able to supply a CA or self-signed certificate and connect to the MongoDB deployment.

https://webassets.mongodb.com/_com_assets/blog/tblr/67.media.tumblr.com--edb968719329347dd1e370769b2a5892--tumblr_oa9ootRTIu1sdaytmo2_1280.png

MongoDB security best practices can assist in protecting your data from those who may seek to access it without your permission. Some of these tasks could include support overhead for your team during the configuration process if choosing to do manually. Thankfully Cloud Manager exists to help you implement these best practices with simplicity and speed.

← Previous

MongoDB 3.2.8 is released

MongoDB 3.2.8 is out and is ready for production deployment. This release contains only fixes since 3.2.7, and is a recommended upgrade for all 3.2 users. This release candidate includes fixes for two obscure race conditions in the WiredTiger storage engine, WT-2696 and WT-2706 , that may cause updates to be missed during an unclean shutdown. Although extremely difficult to trigger, MongoDB users running with the WiredTiger storage engine are urged to upgrade to 3.2.8. Also fixed in this release: SERVER-18329 Add Debian 8 (Jessie) builds and associated package repository SERVER-24580 Improve performance when WiredTiger cache is full SERVER-24711 ASIO connections that have already timed out before setup should not error SERVER-24773 Secondary block on initialSync when the next oplog needed was removed on primary WT-2702 Under high thread load, WiredTiger exceeds cache size 3.2 Release Notes | All Issues | Downloads As always, please let us know of any issues. -- The MongoDB Team

July 13, 2016
Next →

How Edenlab Built a High-Load, Low-Code FHIR Server to Deliver Healthcare for 40 Million Plus Patients

The Kodjin FHIR server has speed and scale in its DNA. Edenlab, the Ukrainian company behind Kodjin , built our original FHIR solution to digitize and service the entire Ukrainian national health system. The learnings and technologies from that project informed our development of the Kodjin FHIR server. At Edenlab, we have always been driven by our passion for building solutions that excel in speed and scale. With Kodjin, we have embraced a modern tech stack to deliver unparalleled performance that can handle the demands of large-scale healthcare systems, providing efficient data management and seamless interoperability. Eugene Yesakov, Solution Architect, Author of Kodjin Built for speed and scale While most healthcare projects involve handling large volumes of data, including patient records, medical images, and sensor data, the Kodjin FHIR server is based on a system developed to handle tens of millions of patient records and thousands of requests per second, to ensure timely access and efficient decision-making for a population of over 40 million people. And all of this information had to be processed and exchanged in real-time or near real-time, without delays or bottlenecks. This article will explore some of the architectural decisions the Edenlab team took when building Kodjin, specifically the role MongoDB played in enhancing performance and ensuring scalability. We will examine the benefits of leveraging MongoDB's scalability, flexibility, and robust querying capabilities, as well as its ability to handle the increasing velocity and volume of healthcare data without compromising performance. About Kodjin FHIR server Kodjin is an ONC-certified and HIPAA-compliant FHIR Server that offers hassle-free healthcare data management. It has been designed to meet the growing demands of healthcare projects, allowing for the efficient handling of increasing data volumes and concurrent requests. Its architecture, built on a horizontally scalable microservices approach, utilizes cutting-edge technologies such as the Rust programming language, MongoDB, ElasticSearch, Kafka, and Kubernetes. These technologies enable Kodjin to provide users with a low-code approach while harnessing the full potential of the FHIR specification. A deeper dive into the architecture approach - the role of MongoDB in Kodjin When deciding on the technology stack for the Kodjin FHIR Server, the Edenlab team knew that a document database would be required to serve as a transactional data store. In an FHIR Server, a transactional data store ensures that data operations occur in an atomic and consistent manner, allowing for the integrity and reliability of the data. Document databases are well-suited for this purpose as they provide a flexible schema and allow for storing complex data structures, such as those found in FHIR data. FHIR resources are represented in a hierarchical structure and can be quite intricate, with nested elements and relationships. Document databases, like MongoDB, excel at handling such complex and hierarchical data structures, making them an ideal choice for storing FHIR data. In addition to supporting document storage, the Edenlab team needed the chosen database to provide transactional capabilities for FHIR data operations. FHIR transactions, which encompass a set of related data operations that should either succeed or fail as a whole, are essential for maintaining data consistency and integrity. They can also be used to roll back changes if any part of the transaction fails. MongoDB provides support for multi-document transactions , enabling atomic operations across multiple documents within a single transaction. This aligns well with the transactional requirements of FHIR data and ensures data consistency in Kodjin. Implementation of GridFS as a storage for the terminologies in Terminology service Terminology service plays a vital role in FHIR projects, requiring a reliable and efficient storage solution for terminologies used. Kodjin employs GridFS , a file system within MongoDB designed for storing large files, which makes it ideal to handle terminologies. GridFS offers a convenient way to store and manage terminology files, ensuring easy accessibility and seamless integration within the FHIR ecosystem. By utilizing MongoDB's GridFS, Kodjin ensures efficient storage and retrieval of terminologies, enhancing the overall functionality of the terminology service. Kodjin FHIR server performance To evaluate the efficiency and responsiveness of the Kodjin FHIR server in various scenarios we conducted multiple performance tests using Locust, an open-source load testing tool. One of the performance metrics measured was the retrieval of resources by their unique ids using the GET by ID operation. Kodjin with MongoDB achieved a performance of 1721.8 requests per second (RPS) for this operation. This indicates that the server can efficiently retrieve specific resources, enabling quick access to desired data. The search operation, which involves querying ElasticSearch to obtain the ids of the searched resources and retrieving them from MongoDB, exhibited a performance of 1896.4 RPS. This highlights the effectiveness of polyglot persistence in Kodjin, leveraging ElasticSearch for fast and efficient search queries and MongoDB for resource retrieval. The system demonstrated its ability to process search queries and retrieve relevant results promptly. In terms of resource creation, Kodjin with MongoDB showed a performance of 1405.6 RPS for POST resource operations. This signifies that the system can effectively handle numerous resource-creation requests. The efficient processing and insertion of new resources into the MongoDB database ensure seamless data persistence and scalability. Overall, the performance tests confirm that Kodjin with MongoDB delivers efficient and responsive performance across various FHIR operations. The high RPS values obtained demonstrate the system's capability to handle significant workloads and provide timely access to resources through GET by ID, search, and POST operations. Conclusion Kodjin leverages a modern tech stack including Rust, Kafka, and Kubernetes to deliver the highest levels of performance. At the heart of Kodjin is MongoDB, which serves as a transactional data store. MongoDB's capabilities, such as multi-document transactions and flexible schema, ensure the integrity and consistency of FHIR data operations. The utilization of GridFS within MongoDB ensures efficient storage and retrieval of terminologies, optimizing the functionality of the Terminology service. To experience the power and potential of the Kodjin FHIR server firsthand, we invite you to contact the Edenlab team for a demo. For more information On MongoDB’s work in healthcare, and to understand why the world’s largest healthcare companies trust MongoDB, read our whitepaper on radical interoperability .

May 31, 2023