Security and compliance - Getting Started with Amazon DocumentDB (with MongoDB Compatibility)

Security and compliance

With Amazon DocumentDB, best practices are the default. Authentication, encryption- at-rest, and encryption-in-transit are enabled by default. You can control access to Amazon DocumentDB management operations, such as creating and modifying clusters, instances, and more, using AWS IAM users, roles, and policies. You can authenticate users to an Amazon DocumentDB database via standard MongoDB tools and drivers.

AWS IAM

Amazon DocumentDB is integrated with AWS Identity and Access Management (IAM) and provides you the ability to control the actions that your AWS IAM users and groups can take on specific Amazon DocumentDB resources, including clusters, instances, and snapshots. In addition, you can enable resource-level permissions by tagging your Amazon DocumentDB resources, and configuring IAM rules based on the tags.

Network security

Amazon DocumentDB clusters are VPC-only and are created directly in your VPC. Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. Amazon VPC enables you to isolate your cluster in your own virtual network and connect to your on-premises IT infrastructure using industry-standard encrypted IPsec VPNs.

You can also use AWS Direct Connect to create a dedicated, private network connection between your intranet and Amazon VPC. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use multiple layers of security, including security groups and network access control lists (ACLs), to help control access in each subnet. This approach gives you complete control over who can access your Amazon DocumentDB database.

Encryption

Amazon DocumentDB supports TLS to encrypt connections from applications to secure data in transit. Amazon DocumentDB also supports encryption of data at rest using AES-256. Encryption is applied cluster wide and all of the data is encrypted, including the cluster data, indexes, snapshots, logs, and automated backups. For data stored at rest, encryption keys are managed by AWS Key Management Service (AWS KMS), which is a highly available, durable, and secure solution for managing sensitive encryption keys. With AWS KMS, you can use the service-managed key, import existing key material, or create your own encryptions keys.

User management

You can connect to Amazon DocumentDB using standard MongoDB tools and drivers. Amazon DocumentDB supports authentication using the Salted Challenge Response Authentication Mechanism (SCRAM), which is the default authentication mechanism with MongoDB.

When you create an Amazon DocumentDB cluster, you specify a primary user. The primary user has administrative permissions for the cluster. You can connect as the primary user to Amazon DocumentDB and create up to 1,000 users per cluster using db.createUser. Additionally, Amazon DocumentDB supports Role-based Access Control (RBAC) that gives you the ability to create users and attach built-in roles to restrict what operations the user has authorization to perform. Common scenarios for using RBAC include enforcing least privilege such as read-only role or building a multi- tenant application where each tenant is restricted to accessing a single database in the cluster.

Auditing events

Amazon DocumentDB supports auditing of the operations performed on your cluster. Once auditing is enabled, Amazon DocumentDB tracks authentication, Data Definition Language (DDL), and user management events. For example, with the auditing feature, you can track failed login attempts, or DDL operations like the creation of collections or indexes. These audit records are exported as JSON documents to Amazon CloudWatch Logs for you to analyze and monitor.

Compliance

Amazon DocumentDB is designed to meet the highest security standards and to make it easy for you to verify our security and meet your own regulatory and compliance obligations. Amazon DocumentDB has been assessed to comply with PCI DSS, ISO 9001, 27001, 27017, and 27018, System and Organization Controls (SOC) 1, 2, and 3, in addition to being HIPAA eligible.