Customer Key Management with AWS KMS

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas uses your AWS customer master key (CMK) in the AWS Key Management Service (KMS) to encrypt and decrypt your MongoDB master keys. These MongoDB master keys are used to encrypt cluster database files and cloud providers snapshots.

When you use your own cloud provider KMS, Atlas automatically rotates the MongoDB master keys every 90 days. These keys are rotated on a rolling basis and the process does not require the data to be rewritten.

Atlas encrypts your data at rest using encrypted storage media. Using keys you manage with AWS KMS, Atlas encrypts your data a second time when it writes it to the MongoDB encrypted storage engine. You use your AWS CMK to encrypt the MongoDB master encryption keys.

This page covers configuring customer key management using AWS KMS on your Atlas project.

You must configure customer key management for the Atlas project before enabling it on clusters in that project.


To enable customer-managed keys with AWS KMS for a MongoDB project, you must:

  • Have an AWS customer master key (CMK). To learn how to create a key, see Creating Keys in the AWS documentation.

  • Have an AWS IAM user in the same AWS account used to create the AWS CMK. Atlas must have permission to perform the following actions with your key:

    To learn how to create an IAM user, see IAM Users in the AWS documentation.

    Atlas uses the same IAM user credentials and CMK settings for all clusters in a project for which Encryption at Rest is enabled.


Enable Customer-Managed Keys for a Project

You must enable customer key management for a project before you can enable it on a cluster in that project.


Toggle the button next to Encryption at Rest using your Key Management to On.


Configure the KMS settings.

  1. Enter the following information:

    Field Action
    Customer Master Key ID Enter your AWS customer master key ID.
    Customer Master Key Region

    Select the AWS region in which you created your AWS CMK.


    Atlas only lists AWS regions that support AWS KMS.

    Access Key ID Enter your IAM user’s access key ID.
    Secret Access Key Enter your IAM user’s secret access key.
  1. Click Save.

Disable Customer-Managed Keys for a Project

You must disable customer key management on each cluster in a project before you can disable the feature for the project.


Atlas automatically creates an customer master key rotation alert once you configure Encryption at Rest for a project.

To reset this alert, Rotate your AWS Customer Master Key.