MongoDB Atlas Operational Readiness Checklist

Select cloud providers and regions for your Atlas clusters. Consider data sovereignty requirements and latency. To get recommendations and learn more about this topic, see Atlas Deployment Paradigms.

Configure network security based on your organization's needs. To get recommendations and learn more about this topic, see Guidance for Atlas Authorization and Authentication.

Choose a network connectivity method:

• Private Endpoints (AWS PrivateLink, Azure Private Link, or Google Cloud Private Service Connect) for a one-way private connection from your VPC to Atlas. For multi-region clusters, enable private endpoints in each region. To learn more, see Recommendations for Multi-Region Deployments.

• VPC Peering to set up private secure traffic routing within your network boundaries.

• Public IP Access Lists to restrict inbound connections to specific IP addresses or CIDR blocks. Consider IP Allow lists as an alternative to endpoints if necessary.

Confirm that TLS is enabled for encrypting connections to your databases. TLS is mandatory and is enabled by default and cannot be disabled. TLS 1.2+ is the default, which ensures support for the next version once Atlas supports it. To learn more, see TLS.

For on-premises connectivity to Atlas, ensure that your organization completes all the necessary internal processes, which may take time for approvals.

Configure authentication and authorization. To get recommendations and learn more about this topic, see Guidance for Atlas Authorization and Authentication.

• Set up database users and roles with the principle of least privilege.

• Implement Role-Based Access Control (RBAC) to manage access across all resources. To learn more, see Guidance for Atlas Authorization.

• Consider setting up Federated Authentication, such as SAML 2.0, for UI access via identity providers, such as Okta, Entra ID, Ping Identity, or others. To learn more, see Guidance for Atlas Authorization.

• Enforce Multi-Factor Authentication (MFA) for enhanced security.

• Secure Atlas API access using API key-based authentication. Consider regular key rotation.

• For database access in cloud environments, consider Workforce and Workload Identity Federation, such as OIDC, OAuth 2.0, AWS IAM roles, or Azure Managed Identities, for passwordless access.

• Consider LDAP Integration for user authentication and authorization.

• Explore using X.509 client certificates for authentication.

Implement robust encryption. To learn more, see Guidance for Atlas Data Encryption.

• Encryption at rest is enabled by default using cloud providers' transparent disk encryption (AES-256).

• Optionally enable "Bring Your Own Key (BYOK)" encryption using Key Management Service (KMS) providers (AWS KMS, Azure Key Vault, or GCP KMS). Atlas can't rotate customer-managed encryption keys.

• Consider Client-Side Field Level Encryption (CSFLE) to encrypt data within your application before transmitting it to Atlas.

• Explore Queryable Encryption for applications that run queries on encrypted data.

Configure database auditing to track database access and actions. Create custom filters if needed. To get recommendations and learn more about this topic, see Guidance for Atlas Auditing and Logging.

Be aware of hard-coded certificate authority certificates. Ensure that you set up your applications in a way that lets you handle potential CA certificate updates.

Atlas clusters use TLS certificates signed by a widely trusted Certificate Authority (CA). While applications using recent MongoDB drivers handle certificate validation automatically, older applications or those with custom TLS configurations might require updates to trust the new CA certificates if MongoDB updates its certificate provider. To learn more, see Hard-coded certificate authority.

Understand and plan for compliance with relevant standards and regulations, such as ISO/IEC 27001, HIPAA, GDPR, PCI DSS, FedRAMP, and others. To learn more, see MongoDB Atlas for Government.

Action

Enable Atlas Cloud Backup, which provides localized backup storage using the cloud provider's native snapshot functionality. To get recommendations and learn more about this topic, see Guidance for Atlas Backups.

Enable Continuous Cloud Backup with a restore window that meets your Recovery Point Objective (RPO). We recommend having a restore window of 7 days to allow for Point In Time (PIT) recovery using the oplog.

Define a backup schedule and retention policy that aligns with your business continuity and compliance requirements. Consider hourly, daily, weekly, and monthly snapshots with appropriate retention periods.

Consider multi-region snapshot distribution for increased resilience by copying snapshots to other geographic regions.

Enable Backup Compliance Policy to prevent unauthorized modifications or deletions of backups and comply with strict data protection requirements.

Understand the process for restoring from scheduled or on-demand snapshots. To learn more, see Recommendations for Backup Policy.

Learn about the process for restoring from Continuous Cloud Backup to a specific point in time. To learn more, see Recommendations for Backup Policy.

Plan and test your Disaster Recovery (DR) strategy. Understand Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Consider testing application's resilience in Atlas. To learn more, see Guidance for Atlas Disaster Recovery.

Consider options for downloading and archiving snapshots, if required, using the Atlas UI, Atlas Administration API, or Atlas CLI. To learn more, see Guidance for Atlas for Resiliency.

Action

Use built-in monitoring capabilities in Atlas via the Metrics tab to track cluster health and performance.

Configure alerts for various cluster metrics and events to proactively identify and respond to potential issues. As a starting point, review and configure recommended alerts. Consider setting up multiple alerts for different severity levels.

Integrate Atlas monitoring with your existing enterprise monitoring and observability tools if required.

Familiarize yourself with Performance Advisor, Real-Time Performance Panel (RTPP), and Query Profiler for performance tuning and optimization.

Action

Define roles and responsibilities for managing and operating MongoDB Atlas.

Establish change control and auditability processes. To learn more, see Guidance for Atlas Auditing and Logging.

Develop a clear Disaster Recovery Process Documentation specific to your applications and Atlas setup. To learn more, see Guidance for Atlas Disaster Recovery.

Ensure your team is trained on MongoDB Atlas fundamentals, security best practices, and operational procedures. Consider MongoDB University and Professional Services for training and enablement.

Establish a process for engaging with MongoDB Support for production issues or when MongoDB's access level is required.

Plan for performance improvement using tools like Query Profiler and Performance Advisor. To learn more, see Guidance for Atlas Monitoring and Alerts.

Define how you will handle data lifecycle management. Configure archival strategies, such as TTL indexes, or online archive.

Establish integration strategies with other tooling and services, such as Datadog, Prometheus, PagerDuty, and other tools. To learn more, see Guidance for Atlas Monitoring and Alerts.

Consider establishing a MongoDB Center of Excellence (CoE) within your organization to foster best practices and knowledge sharing.