Security

TLS

MongoDB Atlas for Government and databases hosted in AtlasGov use TLS 1.2 to encrypt connections. This cannot be disabled, and AtlasGov does not allow TLS versions less than 1.2.

FIPS 140-2

AtlasGov automatically enables FIPS 140-2 for all databases.

Encryption at Rest

• You must use KMS keys in AWS GovCloud and GCP Assured Workloads regions to encrypt data in AWS GovCloud and GCP Assured Workloads region-only projects. You must use KMS keys in AWS Standard regions to encrypt data in AWS Standard region-only projects.

See the Atlas documentation to configure Customer Key Management with AWS KMS and Manage Customer Keys with Google Cloud KMS.

VPC Peering

• You can only peer AWS GovCloud regions with MongoDB clusters in AWS GovCloud regions. You can only peer AWS Standard regions with MongoDB clusters in AWS Standard regions.

• You can only peer GCP Assured Workloads regions with MongoDB clusters in GCP Assured Workloads regions.

See the Atlas documentation to Set up a Network Peering Connection

Private Endpoints

• You can only link AWS GovCloud regions with MongoDB clusters in AWS GovCloud regions. You can only link AWS Standard regions with MongoDB clusters in AWS Standard regions.

• You can only link GCP Assured Workloads regions with MongoDB clusters in GCP Assured Workloads regions.

See the Atlas documentation to Set up a Private Endpoint.

Outbound IP Addresses

You can use the following endpoints:

• Use the Return All IP Addresses for One Project endpoint to retrieve all outbound IP addresses for the clusters in your project. To use this endpoint, your API key must have the Project Read Only role.

• Use the Return All Control Plane IP Addresses endpoint to retrieve all outbound IP addresses for the Atlas control plane, categorized by cloud provider.