Does MongoDB Atlas meet the CIS (Center of Internet Security) Benchmark?

From IT Security I got the CIS (Center of Internet Security) benchmark: CIS_MongoDB_5_Benchmark_v1.0.0_PDF.pdf (CIS MongoDB Benchmarks) with the question whether MongoDB Atlas meets this Benchmark. Unfortunately there exists no dedicated MongoDB Atlas Benchmark and therefore while I could answer most questions with yes there still exist some open questions that require access to the underlying server configuration and maybe someone in this community can answer these questions:

2.1 Ensure Authentication is configured
cat /etc/mongod.conf | grep “authorization”
The value for authorization must be set to enabled.

2.2 Ensure that MongoDB does not bypass authentication via the localhost exception
cat /etc/mongod.conf |grep “enableLocalhostAuthBypass”
The value for enableLocalhostAuthBypass must be false.

3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account
Run the following command to get listing of all mongo instances, the PID number, and the PID owner.
ps -ef | grep -E “mongos|mongod”

1. Create a dedicated user for performing MongoDB database activity.
2. Set the Database data files, the keyfile, and the SSL private key files to only be readable by the mongod/mongos user.
3. Set the log files to only be writable by the mongod/mongos user and readable only by root.

4.4 Ensure Federal Information Processing Standard (FIPS) is enabled
On Ubuntu: To verify that the server uses FIPS Mode (net.tls.FIPSMode value set to true), run following commands:
mongod --config /etc/mongod.conf
net: tls: FIPSMode: true
Or To verify FIPS mode is running, check the server log file for a message that FIPS is active:
FIPS 140-2 mode activated

5.1 Ensure that system activity is audited
To verify that system activity is being audited for MongoDB, run the following command to confirm the auditLog.destination value is set correctly: On Ubuntu:
cat /etc/mongod.conf |grep –A4 “auditLog” | grep “destination”

5.3 Ensure that logging captures as much information as possible
To verify that the SystemLog: quiet=false option is disabled (value of false), run the following command: On Ubuntu:
cat /etc/mongod.conf |grep “quiet”

5.4 Ensure that new entries are appended to the end of the log file
To verify that new log entries will be appended to the end of the log file after a restart (systemLog: logAppend: true value set to true), run the following command: On Ubuntu:
cat /etc/mongod.conf | grep “logAppend”

6.1 Ensure that MongoDB uses a non-default port
To verify the port number used by MongoDB, execute the following command and ensure that the port number is not 27017: On Ubuntu:
cat /etc/mongod.conf |grep “port”

6.2 Ensure that operating system resource limits are set for MongoDB
To verify the resource limits set for MongoDB, run the following commands. Extract the process ID for MongoDB:
ps -ef | grep mongod

7.1 Ensure appropriate key file permissions are set
Find the location of certificate/keyfile using the following commands: On Ubuntu:
cat /etc/mongod.conf | grep “keyFile:” cat /etc/mongod.conf | grep “PEMKeyFile:” cat /etc/mongod.conf | grep “CAFile:”

7.2 Ensure appropriate database file permissions are set.
Find out the database location using the following command: On Ubuntu:
cat /etc/mongod.conf |grep “dbpath” or cat /etc/mongod.conf | grep “dbPath”

Welcome to the MongoDB community @Raoul_Becke1 !

MongoDB Atlas follows best practices in security with preconfigured security features for authentication, authorization, encryption, and more. Atlas encrypts all cluster storage and snapshot volumes at rest by default, and dedicated instances have additional options like Encryption at Rest using Customer Key Management. There is also an independent MongoDB Atlas for Government environment which is FedRAMP ready.

Please see MongoDB Atlas Security and the MongoDB Trust Center for more details on security and privacy compliance for MongoDB Cloud Services.

Per the Trust Center:

MongoDB Atlas undergoes independent verification of platform security, privacy, and compliance controls. Our strong and growing focus on standards conformance and compliance will help you meet your regulatory and policy objectives.

Regards,
Stennie

Hi @Stennie_X, Thank you for your feedback.
But unfortunately I could not find answers to my questions above (respective the ones from the CIS Benchmark). The only indirect answer I can interprete is that regarding “4.4 Ensure Federal Information Processing Standard (FIPS) is enabled” this is not enabled on MongoDB Atlas in general but only for Government environments. Is there a way to access the MongoDB Atlas Cluster and verify the server configuration regarding the questions above?

Hi @Raoul_Becke1,

MongoDB Atlas meets higher standards of security than the CIS benchmark, including regular independent third party verification for compliance with multiple international security and privacy standards.

The MongoDB Atlas Security link shared in my earlier reply also includes a white paper on MongoDB Atlas Security Controls which goes into publicly available security details.

Quoting an earlier discussion on FIPS:

FIPS mode is only supported by MongoDB Enterprise Advanced server, which all Atlas clusters run.

I believe your other points are covered in the documentation and white paper details, but most of those are at a lower level than end users have access to. Atlas is a fully managed data service so end users do not have direct access to make changes to the MongoDB server configuration file or the backing instances for an Atlas cluster. All common features can be managed via the Atlas UI/API. You can also discuss special requests for a dedicated cluster with the Atlas support team.

Referencing your other points (please see the resource links and white paper for details):

• 2.1, 2.2: Authentication, TLS, and IP Access Lists are always enabled
• 3.3: Each cluster is deployed within a VPC configuration that allows no inbound access by details.
• 4.4: Atlas is FIPS-compatible
• 5.1: System activity is audited and there are further options for database auditing
• 5.3: Quiet logging is not enabled
• 5.4: All logs (including infrastructure, UI, mongod, …) have documented log retention policies
• 6.1: The default ports cannot be changed. There are multiple layers of security controls to limit access to a cluster.
• 6.2: Resource limits are set appropriately based on cluster tier
• 7.1/7.2: Permissions are appropriately set

The MongoDB Atlas for Government service I mentioned is specifically designed for US government needs, and verified via FedRamp (Federal Risk and Authorization Management Program). I included this for completeness, but if your questions do not relate to a US government entity, this service is not applicable.

If this information does not cover your concerns, I suggest contacting the MongoDB sales team to discuss your security and compliance requirements in more detail.

Regards,
Stennie

Hi @Stennie_X ,

Thank you for your feedback.

Regarding: MongoDB Atlas meets higher standards of security than the CIS benchmark, including regular independent third party verification for compliance with multiple international security and privacy standards .
How do you know/compare (without knowing the configuration details)? Maybe one could argument that the underlying server configuration is same for all Atlas Clusters and is believed to be secure because it has been hardened and penetration tested in different standards and certifications by independent third-parties …

Yes I’ve read the white paper (and most of the other atlas documentation) some time ago and I’ve seen the discussion on FIPS. (And yes maybe I need to contact Sales and/or Support to get exact answers respective configuration details.)

FIPS: I don’t understand why FIPS cannot be enabled respective what “FIPS Compatible” means. The only thing I found is “https://www.mongodb.com/docs/manual/tutorial/configure-fips/”: " Starting in MongoDB 5.1, instances running in FIPS mode have the SCRAM-SHA-1 authentication mechanism disabled by default." VS “BadValue: SCRAM-SHA-256 authentication is disabled”: " Currently, Atlas does not support SCRAM-SHA-256 , but does support SCRAM-SHA-1 ." …

Trying to match my questions to your answers:
2.1 Ensure Authentication is configured
2.2 Ensure that MongoDB does not bypass authentication via the localhost exception
• 2.1, 2.2: Authentication, TLS, and IP Access Lists are always enabled
I guess 2.1 is true based on the security white paper “For the MongoDB Atlas Cluster, authentication is automatically enabled by default via SCRAM to help ensure a secure system out of the box.” And I’ve seen no switch to disable authentication.
Regarding 2.2 I’m not sure when support accesses the server via SSH whether it can bypass authentication via the localhost exception

3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account
• 3.3: Each cluster is deployed within a VPC configuration that allows no inbound access by details.
This does not answer the question …

5.1 Ensure that system activity is audited
• 5.1: System activity is audited and there are further options for database auditing
I guess you’ve checked in the configuration and/or in the documentation – can you maybe add the reference?

5.4 Ensure that new entries are appended to the end of the log file
• 5.4: All logs (including infrastructure, UI, mongod, …) have documented log retention policies
Do you know the log retention? I guess this indirectly answers the question i.e. you could not guarantee log retention if append to the end of log file would be set to false …

Thank you and kind regards
Raoul