Does MongoDB Atlas meet the CIS (Center of Internet Security) Benchmark?

MongoDB Atlas
,
4

Hi @Raoul_Becke1,

MongoDB Atlas meets higher standards of security than the CIS benchmark, including regular independent third party verification for compliance with multiple international security and privacy standards.

The MongoDB Atlas Security link shared in my earlier reply also includes a white paper on MongoDB Atlas Security Controls which goes into publicly available security details.

Quoting an earlier discussion on FIPS:

FIPS mode is only supported by MongoDB Enterprise Advanced server, which all Atlas clusters run.

I believe your other points are covered in the documentation and white paper details, but most of those are at a lower level than end users have access to. Atlas is a fully managed data service so end users do not have direct access to make changes to the MongoDB server configuration file or the backing instances for an Atlas cluster. All common features can be managed via the Atlas UI/API. You can also discuss special requests for a dedicated cluster with the Atlas support team.

Referencing your other points (please see the resource links and white paper for details):

  • 2.1, 2.2: Authentication, TLS, and IP Access Lists are always enabled
  • 3.3: Each cluster is deployed within a VPC configuration that allows no inbound access by details.
  • 4.4: Atlas is FIPS-compatible
  • 5.1: System activity is audited and there are further options for database auditing
  • 5.3: Quiet logging is not enabled
  • 5.4: All logs (including infrastructure, UI, mongod, …) have documented log retention policies
  • 6.1: The default ports cannot be changed. There are multiple layers of security controls to limit access to a cluster.
  • 6.2: Resource limits are set appropriately based on cluster tier
  • 7.1/7.2: Permissions are appropriately set

The MongoDB Atlas for Government service I mentioned is specifically designed for US government needs, and verified via FedRamp (Federal Risk and Authorization Management Program). I included this for completeness, but if your questions do not relate to a US government entity, this service is not applicable.

If this information does not cover your concerns, I suggest contacting the MongoDB sales team to discuss your security and compliance requirements in more detail.

Regards,
Stennie

2 Likes