Navigation

Encryption at Rest via AWS KMS

Note

This feature is not available for M0 (Free Tier), M2, and M5 clusters. For more information, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas enables you to use the AWS Key Management Service (AWS KMS) to encrypt your MongoDB cluster database files and cloud providers snapshots. MongoDB uses your AWS customer master key (CMK) to encrypt and decrypt your MongoDB master keys, which are used to encrypt your database keys. Atlas automatically rotates your MongoDB master keys every ninety days. Encryption at Rest is an additional layer of encryption on top of the Atlas storage and snapshot volume encryption enabled for all Atlas clusters.

This procedure covers configuring Encryption at Rest via AWS KMS for an Atlas project. For instructions on enabling Encryption at Rest when deploying an Atlas cluster, see Enable Encryption at Rest. For instructions on enabling Encryption at Rest for an existing Atlas cluster, see Enable Encryption at Rest.

For instructions on rotating the currently configured CMK or changing the IAM user credentials for a Atlas project, see Rotate your customer master key.

Prerequisites

The following prerequisites are required to enable Encryption at Rest for a MongoDB project:

  • An AWS customer master key (CMK). See Creating Keys in the AWS documentation for instructions.

  • An AWS IAM user in the same AWS account used to create the AWS CMK. Atlas must have permission to perform the following actions with your key:

    See IAM Users in the AWS documentation for instructions on creating an IAM user.

Atlas uses the same IAM user credentials and CMK settings for all clusters in a project for which Encryption at Rest is enabled.

Restrictions

The following restrictions apply to Encyption at Rest on an Atlas cluster:

  • Clusters must use M10 or larger servers.
  • Sharded clusters are not supported. Your deployment must be a replica set.
  • Continuous Backups are not supported. When enabling backup for a cluster using Encryption at Rest, you must use Cloud Provider Snapshots from AWS or Azure to encrypt your backup snapshots.
  • You cannot enable Encryption at Rest for clusters running on GCP.

Note

Administrators who deploy clusters on GCP and want to enable backup should keep those clusters in a separate project from deployments that use Encryption at Rest or Cloud Provider Snapshots.

Procedure

You must enable Encryption at Rest for a project before you can enable Encryption at Rest for a cluster in that project. See Enable Encryption at Rest for instructions on deploying a cluster with Encryption at Rest. See Modify a Cluster for instructions on enabling Encryption at Rest for an existing cluster.

Note

You must disable Encryption at Rest on each cluster in a project before you can disable the feature for the project.

To enable Encryption at Rest for a project:

1

Log into Atlas.

2

Select a project from the Context menu.

3

Click Security, then Enterprise Security.

4

Toggle the button next to Encryption at Rest to On.

5

Enter your AWS customer master key ID in Customer Master Key ID.

6

Select the AWS region in which you created your AWS CMK from Customer Master Key Region.

Atlas only lists AWS regions that support AWS KMS.

7

Enter your IAM user’s access key ID in Access Key ID.

8

Enter your IAM user’s secret access key in Secret Access Key.

9

Click Save.

Atlas automatically creates an customer master key rotation alert once you configure Encryption at Rest for a project. You can reset this alert at any time by rotating your CMK.