Navigation

Customer Key Management with AWS KMS

You can configure your Atlas project to use an AWS IAM role for accessing your AWS KMS keys for encryption at rest. You can either use an existing role or create a new role when you enable encryption at rest for your project.

This page covers configuring customer key management on your Atlas project for role-based access.

If you have not yet enabled encryption at rest for your new or existing Atlas project, follow the Enable Role-Based Access to Your Encryption Key for a Project procedure to enable encryption at rest for your Atlas project. If you have an Atlas project for which you have already enabled encryption at rest and configured credentials-based access to your encryption keys, follow the Switch to Role-Based Access to Your Encryption Key for a Project procedure to switch to role-based access to your encryption keys.

You must configure customer key management for the Atlas project before enabling it on clusters in that project.

Tip
See also:

To enable customer-managed keys with AWS KMS for a MongoDB project, you must:

  • Have an AWS customer master key (CMK). To learn how to create a key, see Creating Keys in the AWS documentation.

  • Have an AWS IAM user with sufficient privileges. Atlas must have permission to perform the following actions with your key:

    Note

    If you wish to use the AWS CMK with an AWS IAM user from a different AWS account instead of the IAM user who created the AWS CMK, ensure you have sufficient privileges:

    • Add a key policy statement under the AWS CMK to include the external AWS account.
    • Add an IAM inline policy for the IAM user in the external AWS account.

    For a comprehensive discussion of IAM roles and customer master keys, see the AWS documentation.

    After confirming the above privileges, you can follow the usual steps to configure the KMS settings in Atlas, with the following exception:

    • You must provide the full ARN for the CMK (e.g. arn:aws:kms:eu-west-2:111122223333:key/12345678-1234-1234-1234-12345678) instead of the master key ID (e.g. 12345678-1234-1234-1234-12345678) in the CMK ID field.

    To learn how to create an IAM user, see IAM Users in the AWS documentation.

    Atlas uses the same IAM user credentials and CMK settings for all clusters in a project for which Encryption at Rest is enabled.

  • If your AWS KMS configuration requires it, allow access from Atlas IP addresses and the public IP addresses or DNS hostnames of your cluster nodes so that Atlas can communicate with your KMS. If the node IP addresses change, you must update your configuration to avoid connectivity interruptions.
Important

If you switch your Atlas project from credentials-based access to role-based access to your encryption keys, you cannot undo the role-based access configuration and revert to credentials-based access for that project.

After you Enable Role-Based Access to Your Encryption Key for a Project, you must enable customer key management for each Atlas cluster that contains data that you want to encrypt.

Note

You must have the Project Owner role to enable customer key management for clusters in that project.

For new clusters, toggle the Manage your own encryption keys setting to Yes when you create the cluster.

For existing clusters:

1

Navigate to the Clusters page for your project.

  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
  3. If the Clusters page is not already displayed, click Clusters in the sidebar.
2

For the cluster that contains data that you want to encrypt, click the ellipses ..., then select Edit Configuration.

3
  1. Expand the Additional Settings panel.
  2. Toggle the Manage your own encryption keys setting to Yes.
4
  1. Click Review Changes.
  2. Review your changes, then click Apply Changes to update your cluster.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.

Give Feedback

On this page