Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-14706

[Atlas] AWS KMS encryption keys for customer key management with an AWS IAM role



    • Improvement
    • Status: Closed
    • Minor - P4
    • Resolution: Fixed
    • None
    • None
    • Atlas
    • None
    • 3
    • CET: Zombies (10-16 Aug 2021), CET: Axolotl (17-23 Aug 2021)
    • true


      Documentation Link - https://docs.atlas.mongodb.com/security-aws-kms/

      Hello Team,

      Recently, we have Introduced the ability to use an AWS IAM role to authorize Atlas to access: - AWS KMS encryption keys for customer key management as documented here.

      Therefore, customer cannot use an AWS IAM user for new clusters anymore.

      However, I still can see that our document mentions about an IAM user. Therefore, could you please update our document accordingly to change it to an AWS IAM role.

      For example)

      Have an AWS IAM user with sufficient privileges. 

      In addition to that, can you please add an note to make sure that the new IAM role can access the old CMK when switching their Atlas project from credentials-based access to role-based access to their encryption keys AND changing the CMK at the same time? I have a customer who had an issue when switching credential based encryption at rest to role based encryption at rest AND the KMS keys were also being switched from the old keys as the new IAM role didn't have privileges to access the old CMK.




            zach.carr@mongodb.com Zachary Carr
            seunghyoung.lee@mongodb.com Seunghyoung Lee
            Zachary Carr Zachary Carr
            Seunghyoung Lee
            0 Vote for this issue
            2 Start watching this issue


              1 year, 15 weeks, 5 days ago