MongoDB Atlas is a fully-managed cloud database service that makes it incredibly easy to use MongoDB securely. With Enterprise features, Atlas allows you to take security to the next level with confidence. Learn how to leverage Atlas Enterprise features, including LDAP integration, encryption key management, and granular database auditing. We'll also look at how to do analytics via the BI Connector in popular tools.

2. JUMPSTART: Introduction to
Atlas, Highlighting Enterprise
Features
Melissa Plunkett, Sr. Product Manager, MongoDB

3. Melissa
Plunkett
Sr. Product Manager – Cloud, MongoDB

4. About Me
Live in Austin, TX
Originally from Missouri –
aka the Show-Me State – aka “Fly over country”
Operations background – I <3 Linux
Learned from many experiences - I <3 Data so now I’m at MongoDB!

5. About You
Show of hands!
• Have used a relational DB, e.g. Oracle, MySQL, PostgreSQL, DB2, etc?
• Have used MongoDB?
• Have setup MongoDB with an advanced/enterprise feature, e.g. TLS,
LDAP (authentication or authorization), KMIP, Auditing, BI Connector or
similar?
• Have used MongoDB Atlas?
• Love … Dogs? Cats? Both?
• Need more coffee???

6. Our Mission Today
We work at GenCat – A Genetic Testing Site for Cats!!
Is your cat the cat they thought they are?
Have a HUGE new customer PetBox Inc (yea! $$$)
that demands, DEMANDS, features
we haven’t implemented yet (uh oh)!
And it all has to be ready this morning! (gulp!)

7. Sales Agreed We Would:
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench
?

8. Task 1 – Get Our MongoDB Cluster
ReadyTo Do list: (TTC ~ 3-4 weeks)
• Configure networking config: VPC, Security Groups, Elastic IPs
• Run sizing exercise to determine EC2 Instances and storage
• Create those Instances and storage, at least 3 for HA
• Update software and lock the instances down
• Setup monitoring for the underlying infrastructure
• Install MongoDB on 3 instances
• Configure MongoDB replica set with authentication and TLS
• Figure out how to monitoring MDB
• Figure out best way to backup MDB
• SQL on MongoDB???
• Figure out how to scale quickly when it’s needed …

9. Thankfully GenCat Picked Atlas!
• MongoDB as a Service
• Consumption Model
• Available on the Big 3 – AWS / Azure / GCP
• Automates MongoDB Best Practices –
Automation, Backup, Monitoring, Alerts
• Highly available by default, easily scale up and down
• Basic to Advanced Performance and Security Features Included –e.g.
authentication, TLS, IP Whitelists, encryption at rest, LDAP, KMIP,
auditing, performance advisor, and more!
• UI and API – Can spin up our new cluster in a few minutes with clicks
or calls!
TTC ~ 15 mins

10. Let’s check out Atlas

11. Cloud.mongodb.com

18. Now for Those Enterprise Features
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench

19. Why LDAP aka BYO LDAPS?
• Lightweight Directory Access Protocol Secure – aka
LDAPS
• Almost every med to large company (and many small)
are using for auth^2
• Gives you:
• Single Sign On
• Security Administration
• Password Controls
Fancy Password Control Room

20. Why Not Just DIY?
What you Need for LDAPS
Without Atlas: TTC ~ 1-2 weeks
• Assuming already completed “Iceberg List”
• Get Coffee
• Read how to configure MongoDB for LDAP
• Manually configure all the Mongods in your
cluster for LDAP
• Test Config and hope it works *fingers crossed*
• FAILS
• Troubleshoot
• Repeat till Success just for authentication! Next
auth!
• Do again when anything changes.
What you Need for BYO LDAPS with
Atlas:
TTC ~ 5-10 mins
Just Need Information:
Authentication
Server Hostname
Server Port
Bind User Credentials
(Optional) CA Certificate for LDAP Server
(Optional) LDAP Query for Mapping
Authorization
An attribute to match to MongoDB Roles
An LDAP query to find these attributes

21. Task 2 – Use PetBox Inc’s LDAPS
server for authentication and
authorization

22. Now for Those Enterprise Features
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench

23. Why Does PetBox Want To Audit?
• Data is often our MOST IMPORTANT BUSINESS
ASSET $$$$
• If something goes wrong or there is an audit you have
to be able to prove those 5 Ws (and probably the H)
• Most certifications/compliances require the ability to
prove chain of custody, e.g. EMRs under HIPAA or
GDPR.
DATA

24. Why Not Just DIY?
What you Need Audit MDB
without Atlas: TTC ~ 1.5 weeks
• Assuming already completed “Iceberg List”
• Get Coffee
• Read how to enable and configure MongoDB
Auditing
• Manually configure all the Mongods in your
cluster for auditing.
• Manually configure your filters, e.g.
{ atype: { $in: [ "createCollection", "dropCollection" ] }
}
• Test that events are captured.
• Hope it works *fingers crossed*
• FAILS
• Troubleshoot
What you Need Audit MDB with
Atlas: TTC ~3 min
Turn it on
Define what to Audit – pre-definied check list and
custom options!
Get the data!
You are killing it – get a latte this time!

25. Task 3 – Audit PetBox’s Going Ons

26. Now for Those Enterprise Features
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench

27. Coming Soon!
Why Use Their Key aka BYO Key?
• Atlas already provides encryption at rest but MogoDB owns
the keys
• BYO Key means you ultimately control data access – take
the key, data can’t be unencrypted
• We support easy to use KMS providers

28. Why Not Just DIY?
What you Need for LDAPS
Without Atlas: TTC ~ 1 week
(setup only)
• Assuming already completed “Iceberg List”
• Get Coffee
• Read how to configure MongoDB for KMIP
• Create your key (using a service or internally)
• Manually Configure all the MongoDs in your
cluster for KMIP
• Test Config and hope it works *fingers crossed*
• FAILS
• Troubleshoot
• Repeat till Success!
• Figure out how to rotate, alert, etc
What you Need for BYO Key with Atlas:
TTC ~ 10-15 mins (including key
creation)
Create a key, e.g. AWS KMS:
IAM User – create the key , define permissions, set rotation
policy
Then just need:
Account Credentials: Access Key and Secret Access key
Region key will reside
AWS Customer Master Key ID (CMK)

29. First Pet Box Has to Create a Key

30. Alias and Description

31. Set Permissions

32. Review and …

33. Done! Key Made!

34. Remember to Rotate!

35. Task 4 – Encrypt with PetBox’s Key

36. Now for Those Enterprise Features
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench

37. Why Does PetBox Want To Use SQL?
• Lots of people know SQL – 40 years of history is hard to
deny
• MQL and the aggregation framework are awesome – so
until more know it we built our BI Connector
DATA

38. Why Not Just DIY?
What you Need Speak SQL to
MDB without Atlas & the BI
Connector:
TTC ~ ?? Months to Years
• Assuming already completed “Iceberg List”
• Get Coffee
• Start coding … (Note: you can run the BI
Connector without Atlas but it’s just so much
EASIER!)
What you Need Speak SQL to MDB
without Atlas:
TTC ~ 10 mins
Turn on the BI Connector
Grab the connection info and put it in your fav BI Tool
SQL away!

39. Task 5 – Query with MySQL
Workbench

40. We Did It!!!

41. We Got Your Back: Always Adding
Features
You Need to Succeed!Recently added:
• Temporary IP Whitelist Entries with configurable expirations
• Temporary Users with configurable expirations
• Custom DB User Roles
• More Coming Soon like x509 Authentication!
We Didn’t Even Cover:
• Alerting – Preconfigured and Configurable
• Atlas Activity Feed
• Peering

42. Questions?

43. Thank You!