In this lab, you will create a new Amazon DocumentDB cluster using the customer managed KMS key created using imported key material (BYOK) in the previous section.
You can not enable or disable encryption at rest on an existing Amazon DocumentDB cluster. The choice to encrypt or not to encrypt a cluster can only be made at cluster creation time. However, you can create a new encrypted cluster from a snapshot of an unencrypted cluster. Additionally, you can create a new BYOK encrypted cluster from a snapshot of a default AWS managed key encrypted cluster. Both are accomplished by creating a snapshot of the cluster and then restoring the snapshot to a new cluster while specifying the encryption at rest option using either the default AWS managed key, or a previously created BYOK key. For more information, please refer to the documentation.
Choose Clusters from the Amazon DocumentDB console menu and then choose Create to begin creating a new Amazon DocumentDB cluster encrypted with your customer managed CMK.
For this lab, you’ll use:
Number of instances:
A single instance cluster provides very good data durability due to Amazon DocumentDB writing 6 copies of the data across three availability zones. As a result, single instance clusters may be appropriate for many non-production environments. However, single instance clusters are not recommended for running production workloads.
Save these credentials as you’ll be using them to connect to the Amazon DocumentDB cluster from your AWS Cloud9 environment.
Toggle the Show advanced settings and make these selections:
VPC security groups:
Scroll down to the Encryption-at-rest section. Choose Enable encryption and choose the symmetric key you created in the previous section as the Master key.
Scroll down, uncheck Enable deletion protection, and then click Create Cluster. (Unchecking Enable deletion protection will speed the resource clean up activity at the end of the lab. The best practice is to leave the default Enable deletion protection checked to prevent unintentional cluster deletion.)
Your BYOK encrypted Amazon DocumentDB cluster will be available in a few minutes.
Congratulations! You have successfully created Amazon DocumentDB Cluster using a customer managed CMK created with imported key material.
You may now proceed to the next lab. Or, you may proceed to the Clean up section of the Security lab for instructions on how to delete the BYOK cluster created for this lab.
Optional: If you want to test access to your BYOK encrypted Amazon DocumentDB cluster, wait for the Primary instance to become available. Then go to the Query Cluster lab in the Introduction to install the Mongo shell and run some queries using the BYOK encrypted cluster’s endpoint.