(DOCSP-53997): Disambiguate coupled vs decoupled architecture for search nodes encryption at rest (#14639)

* disambiguate coupled vs decoupled for search nodes encryption at rest

* additional improvements

* Copy review feedback

Author: davidhou17

content/atlas/source/includes/fact-search-node-encryption-coverage.rst

@@ -0,0 +1,9 @@
+By default, MongoDB and :ref:`search processes <about-mongot>` run on the same nodes.
+With this architecture, customer-managed encryption applies to your database data, 
+but it does not apply to search indexes.
+
+When you enable :ref:`dedicated Search Nodes
+<what-is-search-node>`, search processes run on separate nodes. This allows
+you to enable :ref:`Search Node Data Encryption <enable-search-node-encryption>`,
+so you can encrypt both database data and search indexes with the same 
+customer-managed keys for comprehensive encryption coverage.

content/atlas/source/includes/fts/extracts-fts-search-nodes.yaml

@@ -137,11 +137,14 @@ content: |
 ---
 ref: fts-search-nodes-encryption
 content: |
-  You can enable Encryption at Rest with Customer Key Management
-  for all data on Search Nodes to secure your |search-type| workloads 
-  with customer-managed encryption keys. To learn more, see 
+
+  .. include:: /includes/fact-search-node-encryption-coverage.rst
+  
+  To learn more, see 
   :ref:`enable-search-node-encryption`.
 
-  This feature is currently available for Search Nodes on |aws|.
+  .. note::
+
+     .. include:: /includes/fts/facts/fact-search-nodes-kms-availability.rst
 
 ...

content/atlas/source/includes/fts/facts/fact-search-nodes-kms-availability.rst

@@ -0,0 +1,2 @@
+This feature is available across |kms| providers, but the
+Search Nodes must be on |aws|.

content/atlas/source/security-aws-kms.txt

@@ -43,7 +43,7 @@ access to your encryption keys.
 You must configure customer key management for the |service| project
 before enabling it on {+clusters+} in that project.
 
-.. seealso:: 
+.. seealso::
 
    - :ref:`set-up-unified-aws-access`
 
@@ -164,16 +164,21 @@ in |service|:
 
 .. include:: /includes/steps-update-aws-kms-region.rst
 
-Next Steps 
+Next Steps
 ----------
 
 You can use a customer-managed key (CMK) from your |aws| |kms| over
 a public network or over {+aws-pl+}. To learn more, see
-the following: 
+the following:
 
 - :ref:`security-aws-kms-public-network`
 - :ref:`security-aws-kms-pvt-endpoint`
 
+Enable Customer-Managed Keys for Search Nodes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-search-node-encryption-coverage.rst
+
 Related Topics
 --------------
 

content/atlas/source/security-azure-kms.txt

@@ -250,22 +250,31 @@ Access Policy or |azure| :abbr:`RBAC (Role Based Access Control)`.
               ] 
             }
 
-Next Steps 
+Next Steps
 ----------
 
 You can use a customer-managed key (CMK) from Azure Key Vault (AKV) over
 a public network or over |azure| Private Endpoints. To learn more, see
-the following: 
+the following:
 
 - :ref:`security-azure-kms-pvt-endpoint`
 - :ref:`security-azure-kms-public-network`
 
 .. note::
 
    If you've enabled :ref:`security-kms-encryption`, you can
-   perform encrypt and decrypt operations while at least one node 
+   perform encrypt and decrypt operations while at least one node
    is still available during the outage.
 
+Enable Customer-Managed Keys for Search Nodes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-search-node-encryption-coverage.rst
+
+.. note::
+  
+   .. include:: /includes/fts/facts/fact-search-nodes-kms-availability.rst
+
 .. toctree::
    :titlesonly:
 

content/atlas/source/security-gcp-kms.txt

@@ -169,6 +169,15 @@ Alerts
 :alert:`encryption key rotation alert <GCP encryption key elapsed time since last rotation is above (n) days>`
 timer at the completion of this procedure.
 
+Enable Customer-Managed Keys for Search Nodes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-search-node-encryption-coverage.rst
+
+.. note::
+
+   .. include:: /includes/fts/facts/fact-search-nodes-kms-availability.rst
+
 Related Topics
 --------------
 

content/atlas/source/security-kms-encryption.txt

@@ -119,14 +119,13 @@ For existing clusters:
 Enable Customer Key Management for Search Nodes
 -----------------------------------------------
 
-When :ref:`configuring Customer Key Management for your project 
-<atlas-configure-kms>`, you can also enable encryption with 
-Customer Key Management for your :ref:`Search Nodes <what-is-search-node>`. 
+When :ref:`configuring Customer Key Management for your project
+<atlas-configure-kms>`, you can also enable encryption with
+Customer Key Management for your :ref:`Search Nodes <what-is-search-node>`.
 This ensures that your |fts| and {+avs+} workloads, including indexes,
 are fully encrypted with your customer-managed keys.
 
-This feature is available across |kms| providers, but the 
-Search Nodes must be on |aws|.
+.. include:: /includes/fts/facts/fact-search-nodes-kms-availability.rst
 
 To enable Search Node Data Encryption with customer-managed keys:
 

content/atlas/source/security/aws-kms-over-private-endpoint.txt

@@ -26,7 +26,7 @@ of security by configuring all traffic to your |aws| |kms| to use {+aws-pl+}.
 This page describes how to
 set up {+aws-pl+} in your |aws| |kms| to ensure that all traffic between
 |service| and your |aws| |kms| takes place over |aws|\'s private network
-interfaces. 
+interfaces.
 
 Considerations 
 --------------
@@ -388,4 +388,7 @@ Related Topics
   :manual:`Encryption at Rest </core/security-encryption-at-rest/>` in
   the MongoDB server documentation.
 
-- To learn more about Encryption at Rest with {+Cloud-Backup+}s, see :ref:`encrypted-cloud-provider-snapshot`.
+- To learn more about Encryption at Rest with {+Cloud-Backup+}s, see :ref:`encrypted-cloud-provider-snapshot`.
+
+- To enable customer key Management for Search Nodes, see :ref:`Enable Search Node Data Encryption
+  <enable-search-node-encryption>`.

content/atlas/source/security/aws-kms-over-public-network.txt

@@ -19,10 +19,10 @@ Manage Customer Keys with AWS Over a Public Network
    :depth: 2
    :class: singlecol
 
-Encrypt your data at rest in |service| with the customer-managed 
+Encrypt your data at rest in |service| with the customer-managed
 keys (CMK) that you create, own, and manage in your |aws| |kms|.
 
-This page describes how to configure customer key management using |aws| |kms| 
+This page describes how to configure customer key management using |aws| |kms|
 on your |service| project and on the {+clusters+} in that project.
 
 .. _aws-ksm-prereqs:
@@ -108,4 +108,9 @@ setting to :guilabel:`Yes` when you create the {+cluster+}.
 
 For existing {+clusters+}:
 
-.. include:: /includes/steps-cluster-customer-key-management.rst
+.. include:: /includes/steps-cluster-customer-key-management.rst
+
+Enable Customer Key Management for Search Nodes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-search-node-encryption-coverage.rst

content/atlas/source/security/azure-kms-over-private-endpoint.txt

@@ -426,3 +426,6 @@ Related Topics
   the MongoDB server documentation.
 
 - To learn more about Encryption at Rest with {+Cloud-Backup+}s, see :ref:`encrypted-cloud-provider-snapshot`.
+
+- To enable customer key Management for Search Nodes, see 
+  :ref:`Enable Search Node Data Encryption <enable-search-node-encryption>`.