Security
Security Checklist
Transport encryption
Encrypting DB data (manual) or entire storage in enterprise
Server, Network config & setup
Back ups & software updates (conditional query backup with password protect) //have separate database & collection - which keep stats of back up operation like time taken & timestamp started & completed. Mail alerts if failure
- Network Filter (Firewalls & routers should limit both incoming and outgoing traffic to/from a specific port to trusted and untrusted systems)
- Running in VPNs (separate network access for DB servers)
- Dedicated OS User Account (A user account dedicated to MongoDB should be created and used to run MongoDB executables. MongoDB should not run as the “root” user.)
- File System Permissions (MongoDB configuration files and data should be protected to disallow access by unauthorized users)
Matching IP address or CIDR range to be explicitly added to the MongoDB configuration.
Internal Authentication should be configured between nodes within a replica set and sharded clusters. This prevents unauthorized instances from joining a database cluster, preventing the illicit copying or movement of data to insecure nodes.
Applying the latest patches to database
Leverage secret managers. Storing passwords in configuration files complicates auditing and increases risk for system compromise.
MongoDB also allows the administrator to configure the MongoDB server to prevent the execution of Javascript scripts. This will prevent MapReduce jobs from running, but the aggregation pipeline can be used as analternative in many use cases.
Mongostat and mongotop that can be used to monitor your database. (If enterprise - can use ops manager)
Timely backups, replicas in other machine
Have trail for update operations on important tables, also just view permissions on trail tables
- https://university.mongodb.com/courses/M310/about //security course of 3 weeks