AWS DocumentDB Database is not encrypted with the Customer Master Key (CMK)


AWS DocumentDB (with MongoDB compatibility) supports encryption at rest using AWS Key Management Service (KMS). By default, AWS uses a service-linked AWS managed CMK, but for added control and management capabilities, it's recommended to use a customer managed CMK. Failing to do so might reduce your control over the encryption keys and may lead to potential data security and compliance issues.


1. Encrypt Existing DocumentDB Clusters with a CMK:

AWS Management Console:
  • Navigate to the DocumentDB dashboard.
  • Choose the cluster you wish to modify.
  • Note: Direct modification of an existing cluster's encryption status isn't supported. Instead, create a snapshot of the unencrypted cluster, copy that snapshot with your CMK enabled, and then restore a new encrypted cluster from that snapshot.

To change the encryption key for an existing DocumentDB cluster to a CMK, a snapshot must be taken, copied with your CMK enabled, and then a new cluster should be restored from that encrypted snapshot.

aws docdb create-db-cluster-snapshot --db-cluster-snapshot-identifier YourSnapshotName --db-cluster-identifier YourClusterName

aws docdb copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier YourSnapshotName --target-db-cluster-snapshot-identifier YourEncryptedSnapshotName --kms-key-id YourCMKKeyID

aws docdb restore-db-cluster-from-snapshot --db-cluster-identifier YourNewEncryptedClusterName --snapshot-identifier YourEncryptedSnapshotName

2. Use Encryption with CMK for New DocumentDB Clusters:

AWS Management Console:
  • Navigate to the DocumentDB dashboard.
  • Click on "Create database".
  • Under "Encryption", choose your Customer Master Key (CMK) from the dropdown.
aws docdb create-db-cluster --db-cluster-identifier YourClusterName --kms-key-id YourCMKKeyID --storage-encrypted

To ensure DocumentDB clusters are created with encryption using a CMK in Terraform:

resource "aws_docdb_cluster" "example" {
  cluster_identifier      = "my-docdb-cluster"
  master_username         = "root"
  master_password         = "password"
  skip_final_snapshot     = true
  storage_encrypted       = true
  kms_key_id              = "arn:aws:kms:region:account-id:key/key-id"

3. Audit and Monitor:

  • Use AWS Config to ensure that DocumentDB clusters are encrypted with a CMK.
  • Activate AWS CloudTrail to monitor and log changes to the encryption status of DocumentDB clusters.

4. Policy and Training:

Educate team members about the importance of using customer-managed keys for DocumentDB encryption. Regularly update this policy and conduct training sessions to ensure compliance.

Utilizing a Customer Master Key (CMK) for your AWS DocumentDB encryption provides an additional layer of control and security, ensuring you're meeting best security practices and compliance requirements.