Manage Customer Keys with AWS Over a Public Network
On this page
Encrypt your data at rest in Atlas with the customer-managed keys (CMK) that you create, own, and manage in your AWS KMS.
This page describes how to configure customer key management using AWS KMS on your Atlas project and on the clusters in that project.
Prerequisites
To enable customer-managed keys with AWS KMS for a MongoDB project, you must:
Use an M10 or larger cluster.
Have an AWS IAM role with sufficient privileges. Atlas must have permission to perform the following actions with your key:
Note
If you wish to use the AWS KMS key with an AWS IAM role from a different AWS account instead of that of the IAM role which created the AWS KMS key , ensure you have sufficient privileges:
Add a key policy statement under the AWS KMS key to include the external AWS account.
Add an IAM inline policy for the IAM role in the external AWS account.
For a comprehensive discussion of IAM roles and customer master keys, see the AWS documentation.
After confirming the above privileges, you can follow the usual steps to configure the KMS settings in Atlas, with the following exception:
You must provide the full ARN for the AWS KMS key (e.g.
arn:aws:kms:eu-west-2:111122223333:key/12345678-1234-1234-1234-12345678) instead of the master key ID (e.g.12345678-1234-1234-1234-12345678) in the AWS KMS key ID field.
To learn how to create an IAM role, see IAM Roles in the AWS documentation.
Atlas uses the same IAM role and AWS KMS key settings for all clusters in a project for which Encryption at Rest is enabled.
If your AWS KMS configuration requires it, allow access from Atlas IP addresses and the public IP addresses or DNS hostnames of your cluster nodes so that Atlas can communicate with your KMS. You must include the IP addresses in your managed IAM role policy by configuring IP address condition operators in your policy document. If the node IP addresses change, you must update your configuration to avoid connectivity interruptions.
Procedures
Enable Role-Based Access for Your Encryption Key for a Project
In Atlas, go to the Advanced page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Advanced under the Security heading.
The Advanced page displays.
Click the Authorize a new IAM role link to authorize an AWS IAM role to Atlas to access your AWS KMS keys for encryption at rest.
To create a new AWS IAM role for accessing your AWS KMS keys for encryption at rest, follow the Create New Role with the AWS CLI procedure. If you have an existing AWS IAM role that you want to authorize, follow the Add Trust Relationships to an Existing Role procedure.
Add an access policy to your AWS IAM role via the AWS console or CLI. See Managing IAM policies for more information.
Note
This policy statement allows MongoDB's AWS Principal to use the
customer's KMS key for encryption and decryption operations. The
Atlas Principal is not secret and is used across all Atlas
customers. This is a highly-restricted, purpose-limited AWS
account, with no resources in it other than the IAM user. The
ExternalId in the policy statement is unique for each Atlas
project, but it is not secret. The ExternalId is used to
mitigate the possibility of cross-context (confused deputy)
vulnerabilities. Atlas's use of a common principal to access all
customers' keys is an access pattern recommended by Amazon, as
described here.
The access policy for encryption at rest looks similar to the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:us-east-1:123456789012:key/12x345y6-7z89-0a12-3456-xyz123456789" ] } ] }
Send a POST request to the cloudProviderAccess endpoint.
Use the API endpoint to create a new AWS IAM role. Atlas will use this role for authentication with your AWS account.
Keep the returned field values atlasAWSAccountArn and
atlasAssumedRoleExternalId handy for use in the next step.
Modify your AWS IAM role trust policy.
Log in to your AWS Management Console.
Navigate to the Identity and Access Management (IAM) service.
Select Roles from the left-side navigation.
Click on the existing IAM role you wish to use for Atlas access from the list of roles.
Select the Trust Relationships tab.
Click the Edit trust relationship button.
Edit the Policy Document. Add a new
Statementobject with the following content.Note
This policy statement allows MongoDB's AWS Principal to use the customer's KMS key for encryption and decryption operations. The Atlas Principal is not secret and is used across all Atlas customers. This is a highly-restricted, purpose-limited AWS account, with no resources in it other than the IAM user. The
ExternalIdin the policy statement is unique for each Atlas project, but it is not secret. TheExternalIdis used to mitigate the possibility of cross-context (confused deputy) vulnerabilities. Atlas's use of a common principal to access all customers' keys is an access pattern recommended by Amazon, as described here.Note
Replace the highlighted lines with values returned from the API call in step 1.
{ "Version": "2020-03-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<atlasAWSAccountArn>" }, "Action:" "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<atlasAssumedRoleExternalId>" } } } ] } Click the Update Trust Policy button.
Authorize the newly created IAM role.
Use the API
endpoint to authorize and configure the new IAM Assumed Role ARN.
If the API call is successful, you can use the roleId value when
configuring Atlas services that use AWS.
Enable AWS KMS with Role Authorization on the Project
Send a PATCH request to the encryptionAtRest API endpoint
to update the awsKms.roleId field with your authorized AWS IAM
role ID.
Example
curl --user "{public key}:{private key}" --digest \ --header "Accept: application/json" \ --header "Content-Type: application/json" \ --include \ --request PATCH \ "https://cloud.mongodb.com/api/atlas/v1.0/groups/{groupId}/encryptionAtRest?pretty=true&envelope=true" \ --data ' { "awsKms": { "enabled": true, "roleId": "<roleId>", "customerMasterKeyID": "<master-key-id>", "region": "<aws-region>" } }'
After you enable role-based access for your encryption key for your project, enable customer-managed keys for each Atlas cluster in your project by following Enable Customer Key Management for an Atlas Cluster.
Switch to Role-Based Access for Your Encryption Key for a Project
As of January 26, 2021, AWS requires the use of IAM roles instead of IAM users for managing access to AWS KMS encryption keys within Atlas. If you initially configured your project to use IAM user credentials to access AWS KMS keys, switch to role-based access to comply with this new requirement using the following procedure.
Important
If you switch your encryption keys to role-based access, you can't undo the role-based access configuration and revert to credentials-based access for encryption keys on that project.
In Atlas, go to the Advanced page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Advanced under the Security heading.
The Advanced page displays.
Authorize and assign an AWS IAM role to Atlas to access your AWS KMS keys for encryption at rest.
To create a new AWS IAM role for accessing your AWS KMS keys for encryption at rest, follow the Create New Role with the AWS CLI procedure. If you have an existing AWS IAM role that you want to authorize, follow the Add Trust Relationships to an Existing Role procedure.
To update your encryption key management with the Atlas Administration API, use the same steps outlined in the above procedure.
Enable Customer Key Management for an Atlas Cluster
After you Enable Role-Based Access for Your Encryption Key for a Project, you must enable customer key management for each Atlas cluster that contains data that you want to encrypt.
Note
You must have the Project Owner role to
enable customer key management for clusters in that project.
For new clusters, toggle the Manage your own encryption keys setting to Yes when you create the cluster.
For existing clusters:
In Atlas, go to the Clusters page for your project.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If it's not already displayed, click Clusters in the sidebar.
The Clusters page displays.
Enable cluster encryption.
Expand the Additional Settings panel.
Toggle the Manage your own encryption keys setting to Yes.
Verify the status of the Require Private Networking setting for your cluster.
If you configured Encryption at Rest Using CMK (Over Private Networking) for Atlas at the project level, the status is Active. If you haven't configured any private endpoint connection for your project, the status is Inactive.