SOC 2 Controls for MongoDB: Security Configuration for Audit-Ready Deployments

SOC 2 scope for MongoDB

MongoDB is popular for document storage in SaaS products, particularly for flexible schema use cases. SOC 2 auditors apply the same CC6 (logical access), CC7 (monitoring), and A1 (availability) criteria to MongoDB as to any other data store.

Common MongoDB audit findings: authentication disabled (the historic default in older MongoDB versions), overly permissive roles (using the built-in readWriteAnyDatabase role for application users), no audit log, and backups untested.

MongoDB Atlas simplifies compliance by providing managed encryption, built-in audit logging, and automated backups. Self-hosted MongoDB requires explicit configuration for each control. This guide covers both.

Authentication and access control

Enable authentication: in mongod.conf set `security.authorization: enabled`. Create the admin user first, then create per-database service users. Use built-in roles at the minimum required level: `readWrite` on the specific database, never `readWriteAnyDatabase` or `dbAdminAnyDatabase` for application accounts.

For Atlas: create database users in the Atlas console under Security > Database Access. Use Atlas-managed passwords or AWS IAM authentication for EC2-hosted services. Rotate database passwords every 90 days or use IAM auth to eliminate password rotation entirely.

Document each database user, their role, and the service that uses them in your access control register. Review the register quarterly. Run `db.getUsers()` on each database and compare against the register as part of your periodic access review (CC6.2, CC6.3).

Audit logging configuration

For self-hosted MongoDB Enterprise: configure audit in mongod.conf: `auditLog.destination: file, auditLog.format: JSON, auditLog.path: /var/log/mongodb/audit.json`. Set `auditLog.filter` to capture authenticate, createCollection, dropCollection, createIndex, and find operations.

For MongoDB Atlas: enable Database Auditing in Atlas under Security > Auditing. Select audit actions: Authentication, DDL, DML (reads + writes), and Role management. Atlas writes audit logs to your Atlas project and allows export to AWS S3 or direct streaming to a SIEM.

Retain audit logs for 12 months minimum. In Atlas, configure Atlas Archive or export logs to S3 with lifecycle policies for 12-month retention. Test log retrieval quarterly by pulling a sample audit record for a known operation.

Encryption at rest and field-level encryption

Enable encrypted storage engine in MongoDB Enterprise: `security.enableEncryption: true` with a KMIP-compatible key management service (HashiCorp Vault, AWS KMS). For Atlas, storage encryption is enabled by default using cloud provider KMS.

For PII fields (SSNs, health data, payment info), use MongoDB Client-Side Field Level Encryption (CSFLE) or Queryable Encryption (MongoDB 7.0+). CSFLE encrypts fields on the client before sending to MongoDB — the database never sees plaintext. Configure with a KMS provider (AWS KMS, GCP KMS, Azure Key Vault) and a local schema map.

Document your encryption layers: infrastructure encryption (Atlas default or Enterprise storage engine) covers all data at rest. CSFLE covers specific high-sensitivity fields. This satisfies CC6.1 for data protection and supports PCI DSS or HIPAA requirements if applicable.

Network isolation and IP allowlisting

In Atlas, configure an IP Access List under Security > Network Access to allow only your application servers and VPN exit IPs. Never add 0.0.0.0/0 (allow from anywhere) to production clusters. Use Atlas Network Peering or Private Endpoints (AWS PrivateLink) to route traffic over private networks.

For self-hosted MongoDB, bind to internal IPs only: `net.bindIp: 127.0.0.1,10.0.1.5` (localhost + internal IP). Configure security groups or iptables to block port 27017 from all sources except application subnets. Never expose MongoDB to a public IP.

Run a quarterly port scan against your MongoDB cluster from an external IP to verify port 27017 is not reachable. Use nmap: `nmap -p 27017 <cluster-ip>`. A closed or filtered result confirms correct network isolation. Save the scan output as network security evidence (CC6.6).

Backup and availability controls

Atlas provides continuous cloud backups with point-in-time restore. Configure backup retention to at least 35 days. Enable a daily backup snapshot schedule and verify the snapshot exists in Atlas Backup. For critical data, enable cross-region backup replication for disaster recovery.

Test restoration quarterly: select a recent snapshot, restore to a test cluster, verify document count matches production, and query a sample of records. Document the test: snapshot ID, restore time, record count comparison, and tester name. This satisfies A1.2 (availability commitment) and A1.3 (backup restore testing).

Define and document your RPO (Recovery Point Objective) and RTO (Recovery Time Objective) for MongoDB. With continuous backups, RPO is typically under 5 minutes. Test your RTO by measuring actual restore time during quarterly tests.

MongoDB SOC 2 checklist

Before your audit: (1) Authentication enabled — no unauthenticated connections. (2) Per-service database users with minimum required roles. (3) Audit logging enabled for auth, DDL, and DML events. (4) Audit logs shipped to SIEM or S3 with 12-month retention. (5) Storage encryption enabled. (6) CSFLE or Queryable Encryption for PII fields. (7) IP Access List or private endpoints — no public exposure. (8) Daily backups verified, restoration tested quarterly with documented results.

Evidence to collect: Atlas Audit Log export (sample), Atlas Backup snapshot list, Atlas Network Access IP list screenshot, database user list from `db.getUsers()`, and Atlas encryption-at-rest status screenshot.