Encryption at Rest / Encryption at Rest in Atlas

Code Summary: Enable Bring Your Own Keys (BYOK) in Atlas

Below is code used to enable the BYOK approach with an M10 Atlas cluster.

Code

Configure Atlas project to use cloud KMS

The following is a curl command used to interact with the MongoDB Atlas API to configure Encryption at Rest using an AWS KMS (Key Management Service) provider.

We create a curl command, passing in our Atlas API credentials, specifying our headers to send and receive data in JSON, and specifying the encryption at rest endpoint with the correct projectId.

Then we define the fields that we want to update, including:

enabled: true
  • This field activates Encryption at Rest using AWS KMS. Setting it to true ensures that MongoDB Atlas encrypts the data stored on disk using encryption keys managed by AWS KMS.
    roleId: <roleid>
    • This specifies the AWS IAM role that MongoDB Atlas will assume to interact with AWS KMS. The IAM role must have appropriate permissions to use the Customer Master Key (CMK) for encryption and decryption in your AWS account.
      customerMasterKeyID: <master-key-id>
      • This is the unique identifier for the AWS KMS Customer Master Key (CMK) that will be used to encrypt MongoDB Atlas data. You must replace <master-key-id> with the actual CMK ID that resides in AWS KMS.
        region: <aws-region>
        • This specifies the AWS region where the Customer Master Key (CMK) is located. For example, us-east-1 or eu-west-1. MongoDB Atlas uses this region to find the specified CMK.

          curl --user "{public key}:{private key}" --digest \
  --header "Accept: application/json" \
  --header "Content-Type: application/json" \
  --include \
  --request PATCH \
  "https://cloud.mongodb.com/api/atlas/v1.0/groups/{projectId}/encryptionAtRest?pretty=true&envelope=true" \
  --data '
   {
       "awsKms": {
           "enabled": true,
           "roleId": "<roleid>",
           "customerMasterKeyID": "<master-key-id>",
           "region": "<aws-region>"
       }
   }'


          Verify keys

          The following is a curl command used to interact with the MongoDB Atlas API to retrieve the current Encryption at Rest configuration settings for a specific project.

          We authenticate with the MongoDB Atlas API using the provided API keys (<PUBLIC-KEY> and <PRIVATE-KEY>).

          Then we send a GET request to the /encryptionAtRest endpoint for a specific project ({projectId}).

          We should receive the current configuration for Encryption at Rest, which includes details about whether encryption is enabled, the type of encryption provider (such as AWS KMS or Azure Key Vault), and other related fields such as role IDs and keys. 

            curl --user "<public-key>:<private-key>" --digest \
  --header "Content-Type: application/json" \
  --include \
  --request GET "https://cloud.mongodb.com/api/atlas/v2/groups/{projectId}/encryptionAtRest"