Posted On: Apr 20, 2023

Amazon Redshift already supports role-based access control, row-level security, and column-level security to enable organizations to enforce fine-grained security on Redshift data. Amazon Redshift now extends these security features by supporting Dynamic Data Masking (DDM) that allows you to simplify the process of protecting sensitive data in your Amazon Redshift data warehouse. With Dynamic data masking, you control access to your data through SQL based masking policies that determine how Redshift returns sensitive data to the user at query time.

With this capability, as a security administrator, you can create masking policies to define consistent, format preserving, and irreversible masked data values. You can apply masking on a specific column or list columns in a table. Also, you have the flexibility of choosing how to show the masked data. For example, you can completely hide all the information about the data, you can replace partial real values with wildcard characters, or you can define your own way to mask the data using SQL Expressions, Python, or Lambda User Defined Functions. Additionally, you can apply a conditional masking based on other columns, which selectively protects the column data in a table based on the values in other column(s). When you attach a policy to a table, the masking expression can be applied to one or more of its columns.

Dynamic Data Masking in Amazon Redshift is available in all commercial and AWS GovCloud (US) Regions where Amazon Redshift is available. You can find more information about DDM from the Redshift database developers guide.