MongoDB Security Best Practices

Eliot Horowitz

Editor's note: This post was edited on June 23, 2015 to reflect the change from MongoDB Management Service to MongoDB Cloud Manager. Learn more here.

MongoDB takes security very seriously. Recently a team of German researchers discovered unsecured instances of MongoDB running openly on the internet. Readers who are concerned about access to their systems are reminded of the following resources:

  • The most popular installer for MongoDB (RPM) limits network access to localhost by default.
  • Security is addressed in detail in our Security Manual. The Security Checklist discusses limiting network exposure. Note that the method to do this will vary significantly depending on where the service is hosted (AWS, Azure, locally, etc).
  • Additionally, users of MongoDB Cloud Manager can enable alerts to detect if their deployment is internet exposed (see figure below).
  • A discussion on security is provided in two parts. Part 1 covers Design and Configuration. Part II covers 10 mistakes that can compromise your database.
  • We encourage users who have experienced a security incident for MongoDB to create a vulnerability report.

Create a new alert to notify of host being exposed to the public internet.

If you are interested in learning more about security best practices watch our on demand webinar.
Securing your MongoDB deployment

About the Author - Eliot Horowitz

Eliot Horowitz is CTO and Co-Founder of MongoDB. Eliot is one of the core MongoDB kernel committers. Previously, he was Co-Founder and CTO of ShopWiki. Eliot developed the crawling and data extraction algorithm that is the core of its innovative technology. He has quickly become one of Silicon Alley's up and coming entrepreneurs and was selected as one of BusinessWeek's Top 25 Entrepreneurs Under Age 25 nationwide in 2006. Earlier, Eliot was a software developer in the R&D group at DoubleClick (acquired by Google for $3.1 billion). Eliot received a BS in Computer Science from Brown University.