Docs Menu

Manage Customer Keys with AWS KMS

On this page

  • Enable Customer-Managed Keys with AWS KMS
  • Rotate your AWS Customer Master Key
  • Related Topics
Note

Starting with the 26 January 2021 Release, you must use AWS IAM roles instead of IAM users to manage access to your AWS KMS encryption keys for customer key management.

When you move from AWS IAM users to roles, ensure that your new role has access to your old AWS customer master key.

Important
Feature unavailable in Serverless Instances

Serverless instances don't support this feature at this time. To learn more, see Serverless Instance Limitations.

You can configure your Atlas project to use an AWS IAM role for accessing your AWS KMS keys for encryption at rest. You can either use an existing role or create a new role when you enable encryption at rest for your project.

This page covers configuring customer key management on your Atlas project for role-based access.

If you have not yet enabled encryption at rest for your new or existing Atlas project, follow the Enable Role-Based Access to Your Encryption Key for a Project procedure to enable encryption at rest for your Atlas project. If you have an Atlas project for which you have already enabled encryption at rest and configured credentials-based access to your encryption keys, follow the Switch to Role-Based Access to Your Encryption Key for a Project procedure to switch to role-based access to your encryption keys.

You must configure customer key management for the Atlas project before enabling it on clusters in that project.

Tip

To enable customer-managed keys with AWS KMS for a MongoDB project, you must:

  • Have a symmetric AWS KMS key . To learn how to create a key, see Creating Keys in the AWS documentation.
  • Have an AWS IAM role with sufficient privileges. Atlas must have permission to perform the following actions with your key:

    Note

    If you wish to use the AWS KMS key with an AWS IAM role from a different AWS account instead of that of the IAM role which created the AWS KMS key , ensure you have sufficient privileges:

    • Add a key policy statement under the AWS KMS key to include the external AWS account.
    • Add an IAM inline policy for the IAM role in the external AWS account.

    For a comprehensive discussion of IAM roles and customer master keys, see the AWS documentation.

    After confirming the above privileges, you can follow the usual steps to configure the KMS settings in Atlas, with the following exception:

    • You must provide the full ARN for the AWS KMS key (e.g. arn:aws:kms:eu-west-2:111122223333:key/12345678-1234-1234-1234-12345678) instead of the master key ID (e.g. 12345678-1234-1234-1234-12345678) in the AWS KMS key ID field.

    To learn how to create an IAM role, see IAM Roles in the AWS documentation.

    Atlas uses the same IAM role and AWS KMS key settings for all clusters in a project for which Encryption at Rest is enabled.

  • If your AWS KMS configuration requires it, allow access from Atlas IP addresses and the public IP addresses or DNS hostnames of your cluster nodes so that Atlas can communicate with your KMS. If the node IP addresses change, you must update your configuration to avoid connectivity interruptions.
Important

If you switch your Atlas project from credentials-based access to role-based access to your encryption keys, you cannot undo the role-based access configuration and revert to credentials-based access for that project.

After you Enable Role-Based Access to Your Encryption Key for a Project, you must enable customer key management for each Atlas cluster that contains data that you want to encrypt.

Note

You must have the Project Owner role to enable customer key management for clusters in that project.

For new clusters, toggle the Manage your own encryption keys setting to Yes when you create the cluster.

For existing clusters:

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
  3. If the Database Deployments page is not already displayed, click Databases in the sidebar.
2

For the cluster that contains data that you want to encrypt, click the ellipses ..., then select Edit Configuration.

3
  1. Expand the Additional Settings panel.
  2. Toggle the Manage your own encryption keys setting to Yes.
4
  1. Click Review Changes.
  2. Review your changes, then click Apply Changes to update your cluster.
Note
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 free clusters, M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Cluster), M2, and M5 Limitations.

Important
Feature unavailable in Serverless Instances

Serverless instances don't support this feature at this time. To learn more, see Serverless Instance Limitations.

When you use your own cloud provider KMS, Atlas automatically rotates the MongoDB master keys every 90 days. These keys are rotated on a rolling basis and the process does not require the data to be rewritten.

Atlas does not automatically rotate the AWS customer master key (CMK) used for AWS-provided Encryption at Rest.

Atlas automatically creates an alert to remind you to rotate your CMK every 90 days by default when you enable Encryption at Rest for an Atlas project.

AWS KMS supports automatic CMK rotation. AWS automatic CMK rotation does not require you to update the Atlas Encryption at Rest project settings, including the CMK ID.

This page explains how to create a new key and update the CMK ID in Atlas to rotate your Atlas project CMK. This method of key rotation supports more granular control of the rotation period compared to AWS KMS automatic CMK rotation.

Important
Cloud Backups with Encryption at Rest

For clusters using Encryption at Rest and Back Up Your Database Deployment, Atlas uses the project's CMK and AWS IAM user credentials at the time of the snapshot to automatically encrypt the snapshot data files. This is an additional layer of encryption on the existing encryption applied to all Atlas storage and snapshot volumes.

Atlas does not re-encrypt snapshots with the new CMK after rotation. Do not delete the old CMK until you check every backup-enabled cluster in the project for any snapshots still using that CMK. Atlas deletes backups in accordance to the Backup Scheduling, Retention, and On-Demand Backup Snapshots. After Atlas deletes all snapshots depending on a given CMK, you can delete that CMK safely.

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
  3. Click Advanced in the sidebar.
2
3
  1. Enter the following information:

    Field
    Action
    AWS IAM role
    Select an existing AWS IAM role or authorize a new role. See Enable Role-Based Access to Your Encryption Key for a Project to learn more about authorizing a new IAM role for Atlas to access your AWS KMS keys for encryption at rest.
    Customer Master Key ID

    Enter your AWS customer master key ID.

    Important

    You must update the key policy to give the IAM user supporting Atlas Encryption at Rest the following permissions to access the provided CMK:

    Customer Master Key Region

    Select the AWS region in which you created your AWS CMK.

    Note

    Atlas only lists AWS regions that support AWS KMS.

  2. Click Save.

Atlas displays a banner in the Atlas console during the CMK rotation process. Do not delete or disable the CMK until your changes have deployed.

←  Encryption at Rest using Customer Key ManagementManage Customer Keys with Azure Key Vault →
Give Feedback
© 2022 MongoDB, Inc.

About

  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2022 MongoDB, Inc.