The document outlines the requirements and capabilities for setting up a MongoDB Atlas enterprise database cluster, including a highly available 3-node replica set with TLS, LDAP authentication for 30,000 users, database auditing, and encryption at rest. It provides a checklist for configuration tasks to be completed by March 14th and details specific authentication and authorization requirements. The presentation emphasizes how MongoDB Atlas can fulfill these needs effectively.

2. MongoDB
Atlas For Your Enterprise
Justin LaBreck – Senior Consulting Engineer, MongoDB

3. So… I got this letter today
To Whom It May Concern,
Our analytics team needs a database to run some numbers and do analysis stuff.
Highly Available, 3 Node, MongoDB Replica Set
TLS for all connections
LDAP authentication and authorization for 30,000 users
Database Auditing - ONLY authentication attempts must be logged
Encryption at Rest using our AWS KMS credentials
MySQL Shell Connectivity
Please configure the following before 11:15 AM on March 14th (or else):

4. Justin LaBreck
Senior Consulting Engineer @ MongoDB
Professional Services

5. Typical MongoDB Enterprise Cluster
Deployed an enterprise database cluster with:
● TLS
● LDAP authentication
● LDAP authorization
● Encryption at Rest with KMIP Key Management
● Encrypted Backups
● Analytics Integration

6. Typical MongoDB Enterprise Cluster
Deployed an enterprise database cluster with:
● TLS
● LDAP authentication
● LDAP authorization
● Encryption at Rest with KMIP Key Management
● Encrypted Backups
● Analytics Integration
Show of hands … who has done the above??

7. With MongoDB Atlas:
WE CAN DO IT!

8. Checklist:
Highly Available, 3 Node, MongoDB Replica Set
TLS for all connections
LDAP authentication and authorization for 30,000 users
Database Auditing - ONLY authentication attempts must be logged
Encryption at Rest using our AWS KMS credentials
MySQL Shell Connectivity

9. 3 Node Replica Set w/TLS

10. Checklist:
Highly Available, 3 Node, MongoDB Replica Set
TLS for all connections
LDAP authentication and authorization for 30,000 users
Database Auditing - ONLY authentication attempts must be logged
Encryption at Rest using our AWS KMS credentials
MySQL Shell Connectivity

11. LDAP Auth - Requirements
Authentication
1. Server Hostname
2. Server Port
3. Bind User Credentials
4. (Optional) CA Certificate for LDAP Server
5. (Optional) LDAP Query for Mapping
Authorization
1. An attribute to match to MongoDB Roles
2. An LDAP query to find these attributes

12. cn=Justin,ou=LDAP,dc=MongoDB,dc=com
LDAP Authentication
LDAP
Bind DN
Bind Password
User DN
User Password
BIND SUCCESS - Bind User
BIND SUCCESS - Client User
MongoDB Authorization
User @ $external

13. A Friendly Reminder
To Whom It May Concern,
Hope all is going well!
(For your sake)
Time is ticking!
- Management

14. LDAP Authorization
LDAP
memberOf: cn=Admin, ou=LDAP, dc=MongoDB, dc=com
memberOf: cn=, ou=LDAP, dc=MongoDB, dc=com
memberOf: cn=Tennis, ou=LDAP, dc=MongoDB, dc=com
And MORE!
MongoDB Authorization
Roles @ admin
Bind DN
Bind Password
User DN
User Password
BIND SUCCESS - Bind User
BIND SUCCESS - Client User
cn=Justin,ou=LDAP,dc=MongoDB,dc=com

15. Atlas + LDAP
30,000 Users, done!

16. Checklist:
Highly Available, 3 Node, MongoDB Replica Set
TLS for all connections
LDAP authentication and authorization for 30,000 users
Database Auditing - ONLY authentication attempts must be logged
Encryption at Rest using our AWS KMS credentials
MySQL Shell Connectivity

17. Database Auditing

18. Database Auditing
*interface may be subject to change

19. Database Auditing - Got ‘em!
GOING LIVE
2019/03/14

20. Fort MongoDB Features
● TLS
● Database Auditing
● SSO via LDAP
● Wooden Palisades
Security assessment, so far

21. Checklist:
Highly Available, 3 Node, MongoDB Replica Set
TLS for all connections
LDAP authentication and authorization for 30,000 users
Database Auditing - ONLY authentication attempts must be logged
Encryption at Rest using our AWS KMS credentials
MySQL Shell Connectivity

22. Encryption at Rest - Requirements
Amazon KMS
1. IAM User
a. DescribeKey
b. Encrypt
c. Decrypt
2. Access Key
3. Access Secret
4. Region key will reside
5. AWS Customer Master Key (CMK)
Azure Key Vault
1. The Tenant ID (or Directory ID) for an Active Directory tenant.
2. The Client ID (or Application ID) w/ non-expired application
Password
3. The Resource Group name
a. Must have Owner Role in Resource Group
4. The Subscription ID and Key Vault Name of an Azure Key Vault.
5. The Key Vault must have the following Access Policies:
a. Key Management Operations
i. GET
ii. LIST
b. Cryptographic Operations
i. ENCRYPT
ii. DECRYPT
6. The Key Identifier for a key in the specified Azure Key Vault.

23. Checklist:
Highly Available, 3 Node, MongoDB Replica Set
TLS for all connections
LDAP authentication and authorization for 30,000 users
Database Auditing - ONLY authentication attempts must be logged
Encryption at Rest using our AWS KMS credentials
MySQL Shell Connectivity

24. BI-Connector

25. Checklist:
Highly Available, 3 Node, MongoDB Replica Set
TLS for all connections
LDAP authentication and authorization for 30,000 users
Database Auditing - ONLY authentication attempts must be logged
Encryption at Rest using our AWS KMS credentials
MySQL Shell Connectivity

26. One More Message
To Whom It May Concern,
Thank you for setting up our MongoDB cluster on Atlas! We didn’t
think it was possible but here we are.
We’ll get you next time.
Regards,
- Management

27. With MongoDB Atlas:
YOU CAN DO IT!

28. Thank You!
Justin LaBreck – Senior Consulting Engineer

29. Questions?
Justin LaBreck – Senior Consulting Engineer