ApsaraDB for MongoDB provides comprehensive security protection to eliminate your data security concerns. You can secure the data in your ApsaraDB for MongoDB instance by using zone-disaster recovery, Resource Access Management (RAM) authorization, audit logs, network isolation, IP address whitelists, and password authentication.

Zone-disaster recovery

ApsaraDB for MongoDB provides a zone-disaster recovery solution to achieve high reliability and high data security. This solution allows you to deploy the nodes of a replica set instance or sharded cluster instance in three different zones of the same region. If one of the three zones is disconnected due to force majeure factors such as blackouts and network faults, ApsaraDB for MongoDB automatically triggers a failover to ensure service availability and data security.

You can select multiple zones when you create an ApsaraDB for MongoDB instance. For more information, see Create a multi-zone replica set instance or Create a multi-zone sharded cluster instance. You can also migrate an existing replica set instance or sharded cluster instance to multiple zones. For more information, see Migrate an ApsaraDB for MongoDB instance across zones in the same region.
Note You can migrate an ApsaraDB for MongoDB instance across zones only when the instance is a replica set instance or sharded cluster instance that runs MongoDB 4.2 or earlier and transparent data encryption (TDE) is not enabled for the instance.

Access control

  • Authorize RAM users to manage specific ApsaraDB for MongoDB instances.

    You can use RAM to create and manage RAM users. You can also use RAM to control the permissions of the created RAM users on the resources that are available within your Alibaba Cloud account. If multiple users in your enterprise need to simultaneously use the same resources, you can use RAM to assign the least permissions to the users. This prevents the users from sharing the same key and reduces the information security risks for your enterprise.

    For more information, see How to configure RAM user permissions on ApsaraDB for MongoDB.

  • Create accounts on an ApsaraDB for MongoDB instance and grant permissions to the accounts.

    In a production environment, do not connect to an ApsaraDB for MongoDB instance by using the credentials of the root account. You can create accounts on the instance and grant permissions to the created accounts.

    For more information, see Manage user permissions on MongoDB databases.

Network isolation

  • Deploy ApsaraDB for MongoDB instances in virtual private clouds (VPCs).

    ApsaraDB for MongoDB supports various networks. We recommend that you deploy ApsaraDB for MongoDB instances in VPCs.

    A VPC is an isolated virtual network that provides higher security and higher performance than the classic network. Before you deploy ApsaraDB for MongoDB instances in VPCs, you must create VPCs. For more information, see Default VPC and default vSwitch.

    If an ApsaraDB for MongoDB instance is deployed in the classic network, you can migrate the instance to a VPC. For more information, see Switch the network type of an ApsaraDB for MongoDB instance. If an ApsaraDB for MongoDB instance is deployed in a VPC, no further action is required.

    Note ApsaraDB for MongoDB supports password-free access over VPCs. VPCs provide a convenient, secure method to connect to ApsaraDB for MongoDB instances. For more information, see Enable or disable password-free access for an ApsaraDB for MongoDB instance.
  • Configure IP address whitelists.

    After an ApsaraDB for MongoDB instance is created, a default IP address whitelist is created. The default IP address whitelist contains only the 127.0.0.1 IP address. Before you can connect to the ApsaraDB for MongoDB instance, you must manually configure the IP address whitelist.

    For more information, see Configure a whitelist or an ECS security group for an ApsaraDB for MongoDB instance.

    Note
    • Do not add the 0.0.0.0/0 entry to an IP address whitelist. The 0.0.0.0/0 entry indicates that the ApsaraDB for MongoDB instance can be accessed from all IP addresses.
    • We recommend that you configure IP address whitelists based on your business requirements and update the configured IP address whitelists on a regular basis. After you confirm that an IP address no longer requires access to the ApsaraDB for MongoDB instance, we recommend that you immediately delete the IP address.

Audit logs

The audit logs of an ApsaraDB for MongoDB instance record all operations that are performed on the instance. The audit logs help you obtain information about the operations that are performed on the data in the instance. You can analyze the audit logs to troubleshoot issues, identify abnormal behavior, and audit the security of the instance.

For more information, see Configure audit logging for an ApsaraDB for MongoDB instance.

Data encryption

  • SSL encryption

    If you connect to an ApsaraDB for MongoDB instance over the Internet, you can enable SSL encryption for the instance. SSL encryption helps protect the data in transit. ApsaraDB for MongoDB encrypts network connections at the transport layer in compliance with SSL to improve data security and ensure data integrity. For more information, see Use the mongo shell to connect to an ApsaraDB for MongoDB database in SSL encryption mode.

  • TDE

    TDE is used to encrypt data before the data is written from data files into a disk and decrypts data before the data is read from a disk and written into the memory. TDE does not increase the size of data files. You can use TDE without the need to modify the configuration data of your application. For more information, see Configure TDE for an ApsaraDB for MongoDB instance.

    Note TDE supports only collection-level encryption. For more information about field-level encryption, see Explicit (Manual) Client-Side Field Level Encryption. Field-level encryption is supported only by ApsaraDB for MongoDB instances that run MongoDB 4.2.