Meeting enterprise compliance standards with MongoDB using AWS PrivateLink

Founded in 2007, MongoDB first popularized the document database, and the company’s unified database platform now powers modern applications across all industries. MongoDB Atlas, its fully managed cloud database offering, delivers a comprehensive suite of services that help organizations accelerate and simplify how they build with data. MongoDB is an AWS Partner, and for many years, AWS has been a key provider for many of the company’s customers. Working closely alongside AWS, MongoDB continually adopts new services to meet emerging customer requirements and evolve its offerings.

MongoDB encrypts data at rest for Atlas using AWS Key Management Service (AWS KMS), a service that lets businesses create and control keys used to encrypt or digitally sign data. This traffic is secured with TLS encryption and MongoDB-supported IP allow lists to restrict access. However, customers in highly regulated industries require definitive proof that sensitive operations reside entirely on private networks. One way that MongoDB addresses customers’ security and compliance requirements is by establishing private, secure connectivity to AWS KMS where traffic remains in the AWS network.

To accomplish this, MongoDB added embedded, opt-in support for AWS KMS on AWS PrivateLink. Many MongoDB customers were already using AWS PrivateLink to connect to their MongoDB Atlas databases, which made the implementation seamless. Using this service, traffic between MongoDB Atlas and AWS KMS flows entirely in the AWS network, addressing the needs of security-conscious MongoDB customers.

Using AWS PrivateLink, MongoDB created a fully private connection between its MongoDB Atlas clusters and AWS KMS. The solution works by establishing interface VPC endpoints in each AWS Region and VPC where customers need secure access to encryption keys. When a customer opts into this feature, MongoDB creates dedicated endpoints. With this setup, MongoDB Atlas clusters can communicate with AWS KMS entirely through private, secure connectivity where traffic stays in the AWS network and prevents the exposure of AWS KMS to the public internet.

For customers who run workloads in different Regions, the solution uses multi-Region keys in AWS KMS. The customer configures a primary key in one Region, and the key is then replicated to secondary Regions. MongoDB creates private endpoints in each of these Regions so that database nodes can communicate with the nearest key replica. All encryption operations remain on private networks, regardless of where a database node operates.

Every MongoDB Atlas customer on AWS can now opt into the integration between AWS KMS and AWS PrivateLink. This feature adds another layer of security and governance, supplementing the existing volume-level encryption at rest used for all Atlas volumes and TLS encryption in transit used for all Atlas network connections.

With this implementation, MongoDB has expanded its appeal to enterprise customers in industries like finance, insurance, and technology. “We are seeing a wider adoption from customers with extensive compliance requirements,” says Keith Yang, software engineer on the MongoDB Atlas Clusters team. “Using AWS PrivateLink, we can unlock these highly regulated workloads and meet the demands of the enterprises running them.”

By keeping all AWS KMS traffic in the AWS network, MongoDB has reduced the threat surface and strengthened its already robust security posture. The multi-Region implementation has also strengthened resilience. The customer replicates its AWS KMS key to each region in which the cluster operates, and each node connects to the key in its respective region using a private endpoint.

MongoDB’s close collaboration alongside its AWS account team and AWS Enterprise Support—which provides a comprehensive suite of resources, including proactive planning, advisory services, automation tools, communication channels, and 24/7 expert support—helped make this project a success. The two teams maintain regular communication regarding customer needs and upcoming features. This helps align the roadmaps of the MongoDB and the AWS teams so that new implementations follow industry best practices.

“We receive significant assistance from AWS Enterprise Support. When we identify opportunities for improvement, the AWS team will often make changes for us,” says Ralph Capasso, vice president of engineering for the MongoDB Atlas Data Services team. “We have ongoing conversations with our AWS account team. When we launch new offerings, they’re successful from day one.”

Adopting AWS PrivateLink for AWS KMS connectivity is only one step in MongoDB’s ongoing effort to enhance its security posture. The company continues to work closely alongside the AWS team to evaluate emerging technologies and best practices, helping keep MongoDB Atlas at the forefront of cloud database security.

“We are always looking for areas to improve and ways to adopt new technologies,” says Capasso. “AWS is constantly adding innovative feature updates and services to its portfolio so that we can achieve new standards of security, privacy, and compliance.”