Details
-
Bug
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
None
Description
Description
The documentation and default alerts for KMS rotation by Atlas are confusing.
(from what I understand) Atlas rotates the secondary keys (MongoDB Master Keys) every 90 days automatically and w/o prompting the Atlas Project administrator. An Alert is also enabled by default to prompt the administrator to rotate the Customer Master Key (CMK) every 90 days. This is the external key owned by our customers in their own KMS (AWS KMS, GCP Cloud KMS, Azure Keyvault) and not the secondary keys we create, aka MongoDB Master Keys. However the docs says it should be rotated every 365 days.
In summary, the Atlas alert is set to 90 days but the docs say 365 days.
https://docs.atlas.mongodb.com/tutorial/security-aws-kms-rotate-key/