Rotate your customer master key

Feature unavailable in Free and Shared Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

For clusters using Atlas Encryption at Rest via AWS KMS, Atlas automatically rotates the MongoDB master keys every 90 days. However, Atlas does not automatically rotate the customer master key (CMK) used for Encryption at Rest. Atlas automatically creates an alert reminding you to rotate your CMK every 365 days by default when you enable Encryption at Rest for a Atlas project.

AWS KMS supports automatic CMK rotation. AWS automatic CMK rotation does not require you to update the Atlas Encryption at Rest project settings, including the CMK ID.

This procedure documents manually rotating your Atlas project CMK by creating a new key and updating the CMK ID in Atlas. Manual key rotation supports more granular control of the rotation period compared to AWS KMS automatic CMK rotation.

For complete documentation on MongoDB Encryption at Rest, including more details on the encryption process, see Encryption at Rest in the MongoDB server documentation.

Cloud Provider Snapshots with Encryption at Rest

For clusters using Encryption at Rest and Cloud Provider Snapshots, Atlas uses the project’s CMK and AWS IAM user credentials at the time of the snapshot to automatically encrypt the snapshot data files. This is an additional layer of encryption on the existing encryption applied to all Atlas storage and snapshot volumes.

Atlas does not re-encrypt snapshots with the new CMK after rotation. Do not delete the old CMK until you check every backup-enabled cluster in the project for any snapshots still using that CMK. Atlas automatically deletes backups in accordance to the Snapshot Scheduling and Retention Policy. Once Atlas deletes all snapshots depending on a given CMK, you can delete that CMK safely.

For complete documentation on Encryption at Rest with Cloud Provider Snapshots, see Cloud Provider Snapshots with Encryption at Rest.



Log into Atlas.


Select a project from the Context menu.


Click Security, then Enterprise Security.


Click Rotate Keys for the Encryption at Rest Section.


Enter your AWS customer master key ID in Customer Master Key ID.

You must update the key policy to give the IAM user supporting Atlas Encryption at Rest the following permissions to access the provided CMK


Select the AWS region in which you created your AWS CMK from Customer Master Key Region.

Atlas only lists AWS regions that support AWS KMS.


Optional: Enter the access key ID for the new IAM user in Access Key ID.

You can also change the Identity and Access Management (IAM) user credentials used by Atlas to access the CMK.


Optional: Enter the secret access key for the new IAM user in Secret Access Key.


Click Save.

Atlas displays a banner in the Atlas UI during the CMK rotation process. Do not delete or disable the CMK until your changes have deployed.