Security - MongoDB on AWS


The AWS Cloud provides a scalable, highly reliable platform that helps enable customers to deploy applications and data quickly and securely.

When you build systems on the AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated applications, as well as the configuration of the AWS-provided security group firewall. For more information about security on AWS, visit the AWS Security Center.

AWS Identity and Access Management (IAM)

This solution leverages an IAM role with least privileged access. It is not necessary or recommended to store SSH keys, secret keys, or access keys on the provisioned instances.

OS Security

The root user on cluster nodes can be accessed only by using the SSH key specified during the deployment process. AWS doesn't store these SSH keys, so if you lose your SSH key you can lose access to these instances.

Operating system patches are your responsibility and should be performed on a periodic basis.

Network Security

The default network security setup of this solution follows AWS security best practices. The provisioned MongoDB instances are deployed in private subnets and can be accessed in three ways:

  • By connecting to the bastion host instance by using an SSH terminal.

  • From AWS resources (such as Amazon EC2) that you might have in the MongoDBServerAccessSecurityGroup security group, or that you might launch using the security group. You may include your application instance in this security group.

  • By including new rules in MongoDBServerSecurityGroup to allow access to your database from a known IP block CIDR. For example, you might add an inbound rule to enable the VLAN in your data center to connect through a VPN or AWS Direct Connect.

                Adding inbound rules to your security group

Figure 8: Adding inbound rules to your security group

Security Groups

A security group acts as a firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time. The new rules are automatically applied to all instances that are associated with the security group.

This Quick Start creates three security groups:

  • MongoDBServerSecurityGroup is used to grant the bastion hosts access to port 22 of the MongoDB instances.

  • MongoDBServersSecurityGroup is used for communications between mongodb instances: primary and replica instances on database ports and SSH ports.

  • MongoDBServerAccessSecurityGroup gives EC2 instances access to your database on the port you set up for database listeners.

After the Quick Start deployment, you are responsible for maintaining these security groups and including or excluding rules.

Database Security

The solution sets up a new root user with a specified administrator user name (by default, “admin”) and an administrator password. Unauthorized database access is not allowed. In addition, an internal keyfile authentication is set up between replica set nodes.