Having set up ATLAS database encryption using Customer Keys with AWS KMS, what are the implications of changing the CMK at a later date? If this were deemed necessary would the change require a dump of the existing database followed by a restore into a new cluster to which the new CMK could then be used?
No need to re-write the data: MongoDB Atlas can do an update of the wrapping keys as well as of the database level keys in a rolling manner that’s light-weight (envelope encryption)