• Security Features and Setup >
• Encryption at Rest using Customer Key Management >
• Customer Key Management with AWS KMS >
• Rotate your AWS Customer Master Key

Rotate your AWS Customer Master Key

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

When you use your own cloud provider KMS, Atlas automatically rotates the MongoDB master keys every 90 days. These keys are rotated on a rolling basis and the process does not require the data to be rewritten.

Atlas does not automatically rotate the AWS customer master key (CMK) used for AWS-provided Encryption at Rest.

Atlas automatically creates an alert to remind you to rotate your CMK every 90 days by default when you enable Encryption at Rest for an Atlas project.

AWS KMS supports automatic CMK rotation. AWS automatic CMK rotation does not require you to update the Atlas Encryption at Rest project settings, including the CMK ID.

This page explains how to create a new key and update the CMK ID in Atlas to rotate your Atlas project CMK. This method of key rotation supports more granular control of the rotation period compared to AWS KMS automatic CMK rotation.

Cloud Backups with Encryption at Rest

For clusters using Encryption at Rest and Cloud Backups, Atlas uses the project’s CMK and AWS IAM user credentials at the time of the snapshot to automatically encrypt the snapshot data files. This is an additional layer of encryption on the existing encryption applied to all Atlas storage and snapshot volumes.

Atlas does not re-encrypt snapshots with the new CMK after rotation. Do not delete the old CMK until you check every backup-enabled cluster in the project for any snapshots still using that CMK. Atlas deletes backups in accordance to the Snapshot Scheduling and Retention Policy. After Atlas deletes all snapshots depending on a given CMK, you can delete that CMK safely.

Procedure

1

Navigate to the Advanced page for your project.

1. If it is not already displayed, select the organization that contains your desired project from the office icon Organizations menu in the navigation bar.
2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
3. Click Advanced in the sidebar.

2

Click Rotate Keys for the Encryption at Rest Section.

3

Update the AWS CMK details.

1. Enter the following information:

   Field	Action
   Customer Master Key ID	Enter your AWS customer master key ID. Important You must update the key policy to give the IAM user supporting Atlas Encryption at Rest the following permissions to access the provided CMK: DescribeKey :aws:`</kms/latest/APIReference/API_DescribeKey.html> Encrypt :aws:`</kms/latest/APIReference/API_Encrypt.html> Decrypt :aws:`</kms/latest/APIReference/API_Decrypt.html>
   Customer Master Key Region	Select the AWS region in which you created your AWS CMK. Note Atlas only lists AWS regions that support AWS KMS.
   Access Key ID	Enter your IAM user’s access key ID. You can also change the IAM user credentials that Atlas uses to access the CMK.
   Secret Access Key	Enter your IAM user’s secret access key.

2. Click Save.

Atlas displays a banner in the Atlas console during the CMK rotation process. Do not delete or disable the CMK until your changes have deployed.

Related Topics

• To learn more about MongoDB Encryption at Rest, see Encryption at Rest in the MongoDB server documentation.
• To learn more about Encryption at Rest with Cloud Backups, see Encryption at Rest using Customer Key Management.

←   Customer Key Management with AWS KMS Customer Key Management with Azure Key Vault  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.