Integrating AWS KMS for multi-tenant apps with 1 DB / tenant

Integrating AWS KMS for multi-tenant apps with 1 DB / tenant right now… I am reading a few articles that say you can generate a master key to encrypt/decrypt multiple mongoDB local keys. How do I do this for multiple master keys if each tenant will have a different master key? How do I also create a DB that shares multiple master keys?


Mark, I’m not super familiar with KMS / Atlas - but I don’t believe you can subdivide keys for a database… That is to say that I believe Atlas enables you to maintain a master key per cluster… The atlas interface doesn’t have the ability, or the granularity to let you have multiple keys per cluster, or database. Although you may be able to enc/de-enc multiple local keys - there’s no way in the interface for you to manage the multi-tenancy. I will see if I can find someone more familiar with KMS internally to shed some light.

Please do follow up because I am reading many posts regarding setting up multitenancy via 1 DB per tenant on MongoDB, yet no one seems to know an answer on how that can be securely achieved.

Chatted with some folks today. You can’t do what you’re trying to do on Atlas. You cannot have a different key per collection. You may be able to do this with one key per DB - but Kenn White (our security Guru) has pointed out that unless you’re using FLE and are extremely careful - this is a massive security risk.

1 Like