Atlas encrypts all cluster storage and snapshot volumes at rest by default. We can add another layer of security by using cloud provider's KMS together with the MongoDB encrypted storage engine.
In this use case we will use key that resides inside an Azure Key Vault, to encryption at rest in MongoDB.
Step 1: Query hostname IPs of database inside MongoDB clusters
In MongoDB cluster, there are multiple databases. For each database we have different hostnames depending on how many nodes are there. Let us consult the IPs of the nodes for the database that we want to encrypt using Azure CMK.
We execute command in MongoShell connecting to the database.
rs.conf()
For example, in this use case we have a database named 'GTS_DEV_INCOCO_01'. We connect to Mongo Shell and run the command rs.conf(). This command will list hostnames of all nodes in the cluster.
Next, we can query the IPs of each hostname using the nslookup command.
Step 2: Query IPs of MongoDB Control Plane components
IPs of MongoDB control plane components can be inbound and outbound. To get these IPs execute the following command:
curl -X GET --digest --header "Accept: application/vnd.atlas.2023-11-15+json" --header "Content-Type: application/json" --request GET "https://cloud.mongodb.com/api/atlas/v2/unauth/controlPlaneIPAddresses?pretty=true"
Step 3: Establish the connection with Azure Key Vault and MongoDB Atlas
First, to encrypt database in MongoDB by Microsoft Azure CMK, we need to enable the connection between Azure Key Vault and MongoDB cluster.
In this use case the Azure Key Vault is not enabled for all public connections. The firewall is enabled at the Key Vault level which only allows certain IPs or Virtual Networks to access keys or secrets inside the Key Vault.
In this case we need to add 3 types of IPs in this KeyVault firewall:
3.1. IP addresses of hostnames of the database clusters (that we queried in the Step 1)
3.2. Outbound IPs of Azure (IPs of control plane components of MongoDB that we queried in Step 2) In this case we need to add the following IPs: 20.53.104.226/32
20.84.232.59/32
20.24.112.135/32
20.96.47.95/32
20.105.25.17/32
20.212.99.191/32
52.149.111.83/32
40.112.209.0/32
3.3. Inbound IPs of Azure (IPs of control plane components of MongoDB that we queried in Step 2)
In this case we need to add the following IPs:
34.237.40.31
Go to the option 'Networking' in the Azure Key Vault and in the 'Firewall' section let us add the IPs.
Step 4: Update the Access policy of the Azure Key Vault
We are going to update 'Encrypt' and 'Decrypt' permissions in Azure Key Access Policies of the Key Vault for that particular SPN. For that in Azure Key Vault, go to the 'Access Policies' option and add permissions for Encrypt and Decrypt for the SPN AppID which we are going to use in the future steps.
Step 5: Configure Azure CMK in teh database settings of MongoDB To configure Azure CMK in MongoDB, go to the database in MongoDB (in this case GTS_DEV_INCOCO_01) 'Security -> Advanced' option.
We enable the 'Encryption at Rest using your Key Management' option. We select the 'AZURE KEY VAULT' option. And we fill in the following details:
-- Account Credentials
Client ID (in this case AppID of SPN)
Tenant ID
Secret
-- Key Vault Credentials
Subscription ID
Resource Group Name
Key Vault Name
-- Encryption Key
Key Identifier
Save the changes, clicking in the 'Save'.
Step 6: Activate the key for encryption at rest
To activate the Azure CMK key to encrypt, enter the database cluster configuration, in this example 'incoco-dev-weu-clu01'. In 'Additional Settings' enable the 'Manage your own encryption keys' option and from the menu select 'Azure Key Vault'.
'Review' y 'Apply'.
VALIDATION:
Check the database snapshots, 'Encryption Key ID' must be enabled with the Azure KEY ID value.
REFERENCES:
Comentarios