diff --git a/mongodbatlas/resource_mongodbatlas_encryption_at_rest.go b/mongodbatlas/resource_mongodbatlas_encryption_at_rest.go
index dfb24ca948..1c6692a15b 100644
--- a/mongodbatlas/resource_mongodbatlas_encryption_at_rest.go
+++ b/mongodbatlas/resource_mongodbatlas_encryption_at_rest.go
@@ -106,24 +106,20 @@ func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
 			},
 			"google_cloud_kms": {
 				Type:     schema.TypeMap,
-				ForceNew: true,
 				Optional: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"enabled": {
 							Type:     schema.TypeBool,
-							ForceNew: true,
 							Required: true,
 						},
 						"service_account_key": {
 							Type:      schema.TypeString,
-							ForceNew:  true,
 							Required:  true,
 							Sensitive: true,
 						},
 						"key_version_resource_id": {
 							Type:      schema.TypeString,
-							ForceNew:  true,
 							Required:  true,
 							Sensitive: true,
 						},
@@ -138,14 +134,10 @@ func resourceMongoDBAtlasEncryptionAtRestCreate(d *schema.ResourceData, meta int
 	conn := meta.(*matlas.Client)
 
 	encryptionAtRestReq := &matlas.EncryptionAtRest{
-		GroupID:       d.Get("project_id").(string),
-		AwsKms:        expandAwsKms(d.Get("aws_kms").(map[string]interface{})),
-		AzureKeyVault: expandAzureKeyVault(d.Get("azure_key_vault").(map[string]interface{})),
-		GoogleCloudKms: matlas.GoogleCloudKms{
-			Enabled:              pointy.Bool(cast.ToBool(d.Get("google_cloud_kms.enabled"))),
-			ServiceAccountKey:    cast.ToString(d.Get("google_cloud_kms.service_account_key")),
-			KeyVersionResourceID: cast.ToString(d.Get("google_cloud_kms.key_version_resource_id")),
-		},
+		GroupID:        d.Get("project_id").(string),
+		AwsKms:         expandAwsKms(d.Get("aws_kms").(map[string]interface{})),
+		AzureKeyVault:  expandAzureKeyVault(d.Get("azure_key_vault").(map[string]interface{})),
+		GoogleCloudKms: expandGCPKms(d.Get("google_cloud_kms").(map[string]interface{})),
 	}
 
 	_, _, err := conn.EncryptionsAtRest.Create(context.Background(), encryptionAtRestReq)
@@ -184,6 +176,9 @@ func resourceMongoDBAtlasEncryptionAtRestUpdate(d *schema.ResourceData, meta int
 	if d.HasChange("azure_key_vault") {
 		encrypt.AzureKeyVault = expandAzureKeyVault(d.Get("azure_key_vault").(map[string]interface{}))
 	}
+	if d.HasChange("google_cloud_kms") {
+		encrypt.GoogleCloudKms = expandGCPKms(d.Get("google_cloud_kms").(map[string]interface{}))
+	}
 
 	_, _, err = conn.EncryptionsAtRest.Create(context.Background(), encrypt)
 	if err != nil {
@@ -227,3 +222,11 @@ func expandAzureKeyVault(azure map[string]interface{}) matlas.AzureKeyVault {
 		TenantID:          cast.ToString(azure["tenant_id"]),
 	}
 }
+
+func expandGCPKms(gcpKms map[string]interface{}) matlas.GoogleCloudKms {
+	return matlas.GoogleCloudKms{
+		Enabled:              pointy.Bool(cast.ToBool(gcpKms["enabled"])),
+		ServiceAccountKey:    cast.ToString(gcpKms["service_account_key"]),
+		KeyVersionResourceID: cast.ToString(gcpKms["key_version_resource_id"]),
+	}
+}
diff --git a/mongodbatlas/resource_mongodbatlas_encryption_at_rest_test.go b/mongodbatlas/resource_mongodbatlas_encryption_at_rest_test.go
index 62ac6bf12b..d408e0eb70 100644
--- a/mongodbatlas/resource_mongodbatlas_encryption_at_rest_test.go
+++ b/mongodbatlas/resource_mongodbatlas_encryption_at_rest_test.go
@@ -144,6 +144,11 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicGCP(t *testing.T) {
 		ServiceAccountKey:    os.Getenv("GCP_SERVICE_ACCOUNT_KEY"),
 		KeyVersionResourceID: os.Getenv("GCP_KEY_VERSION_RESOURCE_ID"),
 	}
+	googleCloudKmsUpdated := matlas.GoogleCloudKms{
+		Enabled:              pointy.Bool(true),
+		ServiceAccountKey:    os.Getenv("GCP_SERVICE_ACCOUNT_KEY_UPDATED"),
+		KeyVersionResourceID: os.Getenv("GCP_KEY_VERSION_RESOURCE_ID_UPDATED"),
+	}
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckGPCEnv(t) },
@@ -160,6 +165,16 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicGCP(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.key_version_resource_id", googleCloudKms.KeyVersionResourceID),
 				),
 			},
+			{
+				Config: testAccMongoDBAtlasEncryptionAtRestConfigGoogleCloudKms(projectID, &googleCloudKmsUpdated),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
+					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.enabled", cast.ToString(googleCloudKmsUpdated.Enabled)),
+					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.service_account_key", googleCloudKmsUpdated.ServiceAccountKey),
+					resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.key_version_resource_id", googleCloudKmsUpdated.KeyVersionResourceID),
+				),
+			},
 		},
 	})
 }