TL;DR
Query your cluster configs for missing or wildcard IP rules
To find MongoDB clusters without IP whitelists, check for clusters where
You can automate this in minutes using Sola. Create a security app with a single prompt, such as “Show me all MongoDB clusters without proper IP whitelisting”. Connect your MongoDB config or audit data, and you’ll instantly get the list.
ipAccessList is empty or includes 0.0.0.0/0. Those are effectively open to the internet.You can automate this in minutes using Sola. Create a security app with a single prompt, such as “Show me all MongoDB clusters without proper IP whitelisting”. Connect your MongoDB config or audit data, and you’ll instantly get the list.
Sola apps that could help you
Visit the App GalleryDon’t audit security manually.
Manually checking each cluster’s IP access list in MongoDB Atlas doesn’t scale. Most teams don’t even realize how many test environments or forgotten clusters are wide open. The quickest path to visibility is querying the configuration directly and flagging anything that allows unrestricted access.
In Sola, you can use the MongoDB Security Compliance App to surface exactly that, across all projects and environments. Just connect your data source, and the app shows you which clusters skipped IP restrictions.
What to look for in your IP access rules
Your query should return clusters where:
ipAccessListis null or empty- One or more entries match
0.0.0.0/0 - The access list doesn’t exist (for self-managed deployments)
This tells you which clusters have no network boundary in place — one of the most basic MongoDB security best practices. If you’re using Terraform or other config-as-code tools, it’s worth checking those too.
Build your own MongoDB security view
Whether you start with the MongoDB Security Compliance App or decide to create a new one from scratch, Sola still lets you move faster. Use the AI co-pilot to define your check in plain language, plug in the relevant data, and get immediate visibility, without sifting through cluster settings one by one.
Answer more security questions
How to find Okta users without MFA?
How to audit file sharing across Google Workspace?
How to monitor GCP audit logs for compliance?