Posted On: Nov 29, 2022

Amazon Redshift already supports role-based access control, row-level security, and column-level security to enable organizations to enforce fine-grained security on Redshift data. Amazon Redshift now extends these security features by supporting Dynamic Data Masking (DDM) that allows you to simplify the process of protecting sensitive data in your Amazon Redshift data warehouse. With Dynamic data masking, you control access to your data through simple SQL based masking policies that determine how Redshift returns sensitive data to the user at query time. Dynamic data masking makes it simple for you to adapt to changing privacy requirements without altering underlying data or updating SQL queries.

With this capability, as a security administrator, you can create masking policies to define consistent, format preserving, and irreversible masked data values. You can apply masking on a specific column or list columns in a table. Also, you have the flexibility of choosing how to show the masked data. For example, you can completely hide all the information about the data, you can replace partial real values with wildcard characters, or you can define your own way to mask the data using SQL Expressions, Python, or Lambda User Defined Functions. Additionally, you can apply a conditional masking based on other columns, which selectively protects the column data in a table based on the values in one or more different columns. When you attach a policy to a table, the masking expression can be applied to one or more of its columns. 

The Dynamic data masking in Amazon Redshift is available as a preview in the following AWS Regions: US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Tokyo), Europe (Ireland), Europe (Stockholm). You can find more information about DDM from the Redshift database developers guide.