Encrypting Data using Your Own Key

In this lab you will learn how to encrypt data at rest for a Amazon DocumentDB cluster by importing your own key material into a Customer Master Key (CMK), a feature often known as “bring your own key” (BYOK).

Clusters that you create using the console have encryption at rest enabled by default. If you don’t specify an AWS Key Management System (KMS) key identifier, Amazon DocumentDB uses a default AWS managed customer master key (CMK). Some customers have security needs that require the use of a customer managed CMK created by importing their own key material. When you use imported key material, you are responsible for the key material while allowing AWS KMS to use a copy of it. For more information, see Importing key material in the AWS KMS documentation.

For either AWS managed, or customer managed CMKs, encryption is enabled cluster-wide and is applied to all instances, including the primary instance and any replicas. Encryption is applied to your cluster’s storage volume, data, indexes, logs, automated backups, and snapshots.

When using an Amazon DocumentDB cluster with encryption at rest enabled, you don’t need to modify your application logic or client connection. Amazon DocumentDB handles encryption and decryption of your data transparently, with minimal impact on performance.