Can anyone answer any or all of the following concerns:
When to use Encryption at Rest using your Key Management over the default encryption provided by atlas?
Does this give any additional level of security that default encryption by atlas doesn’t provide?
I have tried looking through MongoDB docs but didn’t find a suitable answer to it, I can find how to set it up but not why would one want to set it up?
Note: The only reason I found is that use your Key Management when you need to have control over the keys used to encrypt your data.
Please answer any thoughts you have on this. It will be highly appreciated.
When to use Encryption at Rest using your Key Management over the default encryption provided by atlas?
To answer your first question, since this is an additional layer of encryption, it won’t override the default encryption at rest for the cluster’s storage and snapshot volumes. Encryption at rest using the Customer Key Management is optional and will enable database-level encryption for sensitive workloads via the WiredTiger Encrypted StorageEngine. This option allows customers to use their own AWS KMS, Azure Key Vault, or Google Cloud KMS keys to control the keys used for encryption at rest.
There is a security white paper available here which describes this further.
Does this give any additional level of security that default encryption by atlas doesn’t provide?
To answer your second question, you may wish to refer to this statement from the docs, most notably that it is an additional layer of encryption:
Atlas Project Owners can configure an additional layer of encryption on their data using their Atlas-compatible customer key management provider with the MongoDB encrypted storage engine.
As to “why would anyone do this?”, the answer may depend on your security policy. Atlas is secure by default (in transport and at rest), but individual security policies may vary. This option is available to cater for individuals or organizations requiring this additional protection by having your own keys in addition to what Atlas has provided by default.