Encryption at Rest via AWS KMS¶

On this page

Prerequisites
Restrictions
Procedure

Feature unavailable in Free and Shared Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas enables you to use the AWS Key Management Service (AWS KMS) to encrypt your MongoDB cluster database files and cloud providers snapshots. MongoDB uses your AWS customer master key (CMK) to encrypt and decrypt your MongoDB master keys, which are used to encrypt your database keys. Atlas automatically rotates your MongoDB master keys every ninety days. Encryption at Rest is an additional layer of encryption on top of the Atlas storage and snapshot volume encryption enabled for all Atlas clusters.

This procedure covers configuring Encryption at Rest via AWS KMS for an Atlas project. For instructions on enabling Encryption at Rest when deploying an Atlas cluster, see Enable Encryption at Rest. For instructions on enabling Encryption at Rest for an existing Atlas cluster, see Enable Encryption at Rest.

For instructions on rotating the currently configured CMK or changing the IAM user credentials for a Atlas project, see Rotate your customer master key.

Prerequisites¶

The following prerequisites are required to enable Encryption at Rest via AWS KMS for a MongoDB project:

An AWS customer master key (CMK). See Creating Keys in the AWS documentation for instructions.
An AWS IAM user in the same AWS account used to create the AWS CMK. Atlas must have permission to perform the following actions with your key:
See IAM Users in the AWS documentation for instructions on creating an IAM user.

Atlas uses the same IAM user credentials and CMK settings for all clusters in a project for which Encryption at Rest is enabled.

Restrictions¶

The following restrictions apply to Encryption at Rest using your Key Management on an Atlas cluster:

Clusters must use M10 or larger servers.
Continuous Backups are not supported. When enabling backup for a cluster using Encryption at Rest using your Key Management, you must use Cloud Provider Snapshots to encrypt your backup snapshots.
You cannot enable Encryption at Rest using your Key Management for clusters running on GCP.

Note

Administrators who deploy clusters on GCP and want to enable backup should keep those clusters in a separate project from deployments that use Encryption at Rest using your Key Management or Cloud Provider Snapshots.

Procedure¶

You must enable Encryption at Rest using your Key Management for a project before you can enable Encryption at Rest using your Key Management for a cluster in that project. See Enable Encryption at Rest for instructions on deploying a cluster with Encryption at Rest using your Key Management. See Modify a Cluster for instructions on enabling Encryption at Rest for an existing cluster.

Note

You must disable Encryption at Rest on each cluster in a project before you can disable the feature for the project.

To enable Encryption at Rest for a project:

1

Log into Atlas.¶

2

3

Click Security, then Enterprise Security.¶

4

Toggle the button next to Encryption at Rest to On.¶

5

Enter your AWS customer master key ID in Customer Master Key ID.¶

6

Select the AWS region in which you created your AWS CMK from Customer Master Key Region.¶

Atlas only lists AWS regions that support AWS KMS.

7

Enter your IAM user’s access key ID in Access Key ID.¶

8

Enter your IAM user’s secret access key in Secret Access Key.¶

9

Click Save.¶

Atlas automatically creates an customer master key rotation alert once you configure Encryption at Rest for a project. You can reset this alert at any time by rotating your CMK.

← Encryption at Rest Using Your Key Management Rotate your customer master key →