How to Secure Mongo DB on AWS in 3 steps

Mongo is among the most popular NoSQL databases today. You can easily set it up and get started.  Unfortunately, a lot of the mongo implementations are not secure and can be hacked very easily. Data is the new oil and as Yoda would have said, “Protect it, you should”. In this blog we will first explain how these databases were hacked and then detail 3 must-dos to secure your database and protect your data.

Security Loopholes with Mongo Installations

Mongo is a very advanced database. It is scalable, fast, easy to deploy and secure.  A classic method to hack relational databases was SQL injection.  Since SQL injection is not possible on Mongo, a lot of engineers have naively assumed that it is automatically more secure. Yes, you can spin a mongo db within no time.

However, the default installation has several loopholes that makes it very easily hackable. By default, mongo DB does not need password authentication. Setting up passwords is an additional step, and a lazy implementer may choose to not do it. By default mongo runs on port 27017. Hackers know this and will attempt to attack that port. The engineer may make the DB accessible for the application servers and inadvertently make it accessible on the Internet. The database is also kept accessible from the internet. The appropriate analogy is leaving your front door unlocked and advertising your address on Facebook.

It is very easy to secure your Mongo installation. Here we will discuss 3 steps to secure your database:

Step 1. Password Authentication

You cannot permit unauthenticated databases. All database access must require password authentication. More advanced production setups, should consider multiple access roles. This page explains authentication in sufficient detail.

Step 2. Change the default Ports

The database is accessible on port 27017 by default. You can easily change the default port. If you are running mongo from the command line use the –port option to choose a different port. If you run it as a service, change the port in the conf file.

Step 3. Use a VPC

If you are using a cloud service like AWS, put your database in the VPC without an external IP address. This will ensure only the applications hosted within the VPC can access your database. The database is invisible from outside,  and therefore unlikely to be attacked. The figure below is a simple representation, where the database does not have an external IP address. Only the application servers have external IP address and they interact with the database using its private IP address. The illustration below, shows only one DB machine. In a sharded DB, all shards, conf servers, mongos can be on servers without external IP addresses.

Mongo DB secured in a VPC
Mongo DB secured in a VPC
Further Steps

You can add more layers of security by enabling SSL, and encrypting your data. We will not cover that in  this blog.

REFERENCE
  1. DBs hacked by ransomware
  2. Installation page
  3. SQL Injection explained