Skip to main content

MongoDB Atlas API Key

MongoDB Atlas API Keys are credentials used to authenticate and authorize access to MongoDB Atlas, a cloud-based database service. These keys allow applications and users to interact with the MongoDB Atlas API, enabling operations such as database management, monitoring, and configuration. Exposure of these keys is a significant security concern as it can lead to unauthorized access to sensitive data and infrastructure, potentially resulting in data breaches and service disruptions.

How Does It Look

MongoDB Atlas API Keys can appear in various contexts, such as:

  • Environment variables:

    export MONGODB_ATLAS_API_KEY="abcd1234efgh5678ijkl"

  • Configuration files (JSON, YAML, .env):

    {
      "mongodb": {
        "atlasApiKey": "abcd1234efgh5678ijkl"
      }
    }

  • Code snippets:

    client = MongoClient("mongodb+srv://user:abcd1234efgh5678ijkl@cluster.mongodb.net")

  • Connection strings:

    mongodb+srv://user:abcd1234efgh5678ijkl@cluster.mongodb.net

Severity

  • 🔴 Critical

The severity of exposing a MongoDB Atlas API Key is critical because it provides access to the database service, potentially allowing an attacker to read, modify, or delete data. The blast radius includes all databases and collections accessible by the key, which could lead to significant data loss or corruption.

What Can an Attacker Do?

With immediate access to a MongoDB Atlas API Key, an attacker can perform several malicious actions:

An attacker can immediately access the database, potentially leading to unauthorized data manipulation.

Key actions an attacker can perform:

  • Delete or modify data (if the credential has write permissions)
  • Access billing information (if the account has billing scope enabled)
  • Spin up resources for cryptomining (if compute permissions are granted)
  • Exfiltrate sensitive data (if read access is enabled)

Additionally, an attacker could escalate their access or move laterally within the infrastructure, potentially compromising other connected systems or services.

Real-World Impact

The exposure of a MongoDB Atlas API Key poses significant business risks, including:

The primary impact is the potential for unauthorized data access and manipulation.

Potential consequences include:

  • Data Exposure: Sensitive customer or business data (if the credential has read access to sensitive data)
  • Financial Loss: Increased costs from unauthorized resource usage (if billing/resource creation is permitted)
  • Operational Disruption: Service outages or data integrity issues (if the attacker has delete/modify permissions)
  • Reputational Damage: Loss of customer trust and brand reputation

In worst-case scenarios, the exposure could lead to cascading effects, such as regulatory fines or legal actions due to data breaches.

Prerequisites for Exploitation

To exploit an exposed MongoDB Atlas API Key, an attacker needs:

  • Network access to the MongoDB Atlas service
  • Knowledge of account IDs or endpoints to target specific resources
  • Bypassing any rate limits or IP restrictions that may be in place

How to Verify If It's Active

To verify if a MongoDB Atlas API Key is active:

curl -X GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/[GROUP_ID]/clusters" \
     -H "Authorization: Bearer [API_KEY]"

Valid credential response: A successful response will return a list of clusters associated with the account.

Invalid/expired credential response: An error message indicating unauthorized access or invalid credentials.

Detection Patterns

Common Variable Names:

  • MONGODB_ATLAS_API_KEY
  • ATLAS_API_KEY
  • MONGODB_API_KEY
  • ATLAS_KEY
  • MONGODB_KEY
  • API_KEY

File Locations:

  • .env
  • config.json
  • settings.yaml
  • application.properties
  • secrets.json

Regex Pattern:

[A-Za-z0-9]{24,}

Remediation Steps

  1. Revoke immediately - Go to MongoDB Atlas > Security > API Keys and delete the compromised key.
  2. Audit access logs - Review MongoDB audit logs for unauthorized queries or data exports during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
  4. Rotate credential - Create a new API key in MongoDB Atlas with least-privilege permissions.
  5. Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in MongoDB Atlas and require TLS connections.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References