MongoDB Security Interview Questions

Introduction

This guide covers essential MongoDB security concepts commonly asked in technical interviews. Each question includes detailed answers and practical examples.

Medium

1. What are the key security features in MongoDB?

MongoDB provides several security features:

  • Authentication and Authorization
  • Transport Layer Security (TLS/SSL)
  • Encryption at Rest
  • Network Security
  • Audit Logging
Security Layers:
  • Network Security
  • Authentication
  • Authorization
  • Data Protection
  • Audit and Compliance
Hard

2. How do you implement authentication in MongoDB?

Authentication implementation involves several steps:

1. User Creation and Management
// Create admin user
db.createUser({
    user: "adminUser",
    pwd: "securePassword",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
})

// Create application user
db.createUser({
    user: "appUser",
    pwd: "appPassword",
    roles: [
        { role: "readWrite", db: "myapp" },
        { role: "read", db: "reports" }
    ]
})

// Enable authentication
security:
    authorization: enabled
2. Authentication Methods
// SCRAM-SHA-256 authentication
mongod --auth --setParameter authenticationMechanisms=SCRAM-SHA-256

// LDAP authentication
mongod --auth --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-256

// X.509 certificate authentication
mongod --tlsMode requireTLS --tlsCertificateKeyFile /etc/ssl/mongodb.pem
Hard

3. How do you implement role-based access control (RBAC)?

RBAC implementation involves defining roles and permissions:

1. Custom Role Creation
// Create custom role
db.createRole({
    role: "appAdmin",
    privileges: [
        {
            resource: { db: "myapp", collection: "" },
            actions: [ "find", "update", "insert", "remove" ]
        },
        {
            resource: { db: "myapp", collection: "users" },
            actions: [ "find" ]
        }
    ],
    roles: []
})

// Assign role to user
db.grantRolesToUser(
    "appUser",
    [ { role: "appAdmin", db: "myapp" } ]
)
2. Role Management
// View user roles
db.getUser("appUser")

// Update role privileges
db.updateRole(
    "appAdmin",
    {
        privileges: [
            {
                resource: { db: "myapp", collection: "orders" },
                actions: [ "find", "update" ]
            }
        ]
    }
)

// Revoke role
db.revokeRolesFromUser(
    "appUser",
    [ { role: "appAdmin", db: "myapp" } ]
)
Hard

4. How do you implement encryption in MongoDB?

Encryption implementation involves multiple layers:

Encryption Types:
  • Encryption at Rest
  • Encryption in Transit
  • Field-Level Encryption
  • Client-Side Encryption
Implementation Examples
// Enable encryption at rest
mongod --enableEncryption --encryptionKeyFile /path/to/keyfile

// Configure TLS/SSL
mongod --tlsMode requireTLS --tlsCertificateKeyFile /etc/ssl/mongodb.pem

// Field-level encryption
const client = new MongoClient(uri, {
    autoEncryption: {
        keyVaultNamespace: "encryption.__keyVault",
        kmsProviders: {
            local: {
                key: masterKey
            }
        },
        schemaMap: {
            "myapp.users": {
                bsonType: "object",
                properties: {
                    ssn: {
                        encrypt: {
                            bsonType: "string",
                            algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic"
                        }
                    }
                }
            }
        }
    }
})
Hard

5. What are the security best practices for MongoDB?

Follow these security best practices:

1. Security Configuration
// Secure configuration
security:
    authorization: enabled
    clusterAuthMode: x509
    javascriptEnabled: false
    redactClientLogData: true

net:
    ssl:
        mode: requireSSL
        PEMKeyFile: /etc/ssl/mongodb.pem
        CAFile: /etc/ssl/ca.pem

auditLog:
    destination: file
    format: JSON
    path: /var/log/mongodb/audit.log
2. Security Monitoring
// Enable security auditing
db.adminCommand({
    setParameter: 1,
    auditAuthorizationSuccess: true
})

// Monitor authentication attempts
db.system.profile.find({
    "command.authenticate": { $exists: true }
})

// Check user activities
db.system.profile.find({
    "command.find": { $exists: true }
}).sort({ millis: -1 })

Next Steps

Continue your MongoDB interview preparation with: