Create Amazon DocumentDB Cluster encrypted with a Customer Managed Key

In this lab, you will create a new Amazon DocumentDB cluster using the customer managed KMS key created using imported key material (BYOK) in the previous section.

You can not enable or disable encryption at rest on an existing Amazon DocumentDB cluster. The choice to encrypt or not to encrypt a cluster can only be made at cluster creation time. However, you can create a new encrypted cluster from a snapshot of an unencrypted cluster. Additionally, you can create a new BYOK encrypted cluster from a snapshot of a default AWS managed key encrypted cluster. Both are accomplished by creating a snapshot of the cluster and then restoring the snapshot to a new cluster while specifying the encryption at rest option using either the default AWS managed key, or a previously created BYOK key. For more information, please refer to the documentation.

Create Cluster

Choose Clusters from the Amazon DocumentDB console menu and then choose Create to begin creating a new Amazon DocumentDB cluster encrypted with your customer managed CMK.

Amazon DocumentDB Console Home

For this lab, you’ll use:

Cluster identifier: BYOK-getting-started-with-documentdb

Engine Version: 4.0.0

Instance class: db.t3.medium

Number of instances: 1

A single instance cluster provides very good data durability due to Amazon DocumentDB writing 6 copies of the data across three availability zones. As a result, single instance clusters may be appropriate for many non-production environments. However, single instance clusters are not recommended for running production workloads.

Master username: labuser

Master password: ********

Save these credentials as you’ll be using them to connect to the Amazon DocumentDB cluster from your AWS Cloud9 environment.

Amazon DocumentDB Console Create Default

Toggle the Show advanced settings and make these selections:

VPC: labs-VPC

Subnet group: labs-vpc-subnet-group

VPC security groups: docDbInbound

Amazon DocumentDB Console Create Network Settings

Scroll down to the Encryption-at-rest section. Choose Enable encryption and choose the symmetric key you created in the previous section as the Master key.

Amazon DocumentDB Console choose key

Scroll down, uncheck Enable deletion protection, and then click Create Cluster. (Unchecking Enable deletion protection will speed the resource clean up activity at the end of the lab. The best practice is to leave the default Enable deletion protection checked to prevent unintentional cluster deletion.)

Amazon DocumentDB Console Created

Your BYOK encrypted Amazon DocumentDB cluster will be available in a few minutes.

Amazon DocumentDB Console Created

Congratulations! You have successfully created Amazon DocumentDB Cluster using a customer managed CMK created with imported key material.

You may now proceed to the next lab. Or, you may proceed to the Clean up section of the Security lab for instructions on how to delete the BYOK cluster created for this lab.

Optional: If you want to test access to your BYOK encrypted Amazon DocumentDB cluster, wait for the Primary instance to become available. Then go to the Query Cluster lab in the Introduction to install the Mongo shell and run some queries using the BYOK encrypted cluster’s endpoint.