How do I encrypt my Amazon Redshift cluster?

Last updated: 2022-10-31

I want to encrypt my Amazon Redshift cluster. How can I do that?

Resolution

Encryption can be turned on when creating an Amazon Redshift cluster. Or, an existing Amazon Redshift unencrypted cluster can be modified to use AWS Key Management Service (AWS KMS) encryption. Amazon Redshift Serverless is encrypted by default but you can change the AWS KMS key for a namespace.

Turn on encryption while creating a new Amazon Redshift cluster

To turn on encryption when creating your Amazon Redshift cluster, do the following:

  1. Open the Amazon Redshift console.
  2. In the navigation pane, choose Clusters, and then choose Create cluster.
  3. For Create cluster, configure the cluster to your specifications. For more information, see Creating a cluster.
  4. For Additional configurations, turn off Use defaults.
  5. For Database configurations, choose Use AWS Key Management Service (AWS KMS) or Use a hardware security module (HSM). For more information on encryption options, see Amazon Redshift database encryption.
  6. (Optional) Define your specifications for the additional configuration options.
  7. Choose Create cluster.

Note: Hardware security module (HSM) encryption isn't supported for DC2 and RA3 node types.

Modify an unencrypted Amazon Redshift cluster to use encryption

Consider the following when modifying an Amazon Redshift cluster to turn on encryption:

  • After encryption is turned on, Amazon Redshift automatically migrates the data to a new encrypted cluster with the same cluster identifier. During this migration operation, the cluster is available in read-only mode, and the cluster status appears as resizing.
  • If the cluster has RA3 node type, the Amazon Redshift cluster encryption change is performed using Faster Classic Resize. For all other node types, Amazon Redshift performs the encryption change using Classic resize.
  • The time it takes for a resize operation to complete can vary depending on:
    The read workload on the source cluster
    The table definition
    The skew node type that you’re scaling to and from

To modify an existing Amazon Redshift cluster to use encryption using the console, do the following:

  1. Open the Amazon Redshift console.
  2. In the navigation pane, choose Clusters, and then choose the cluster that you want to encrypt.
  3. Choose Properties.
  4. For Database configurations, choose Edit, and then choose Edit encryption.
  5. Choose Use AWS Key Management Service (AWS KMS) or Use a hardware security module (HSM). For more information on encryption options, see Amazon Redshift database encryption.

To modify an existing Amazon Redshift cluster to use AWS KMS encryption using the AWS CLI, run the following modify-cluster command:

Note: Your default KMS key is used by default. To use a customer managed key, include the kms-key-id option and replace value with your KMS key.

> aws redshift modify-cluster --cluster-identifier <value> --encrypted --kms-key-id <value>

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Changing the AWS KMS key for a namespace in Amazon Redshift Serverless

Amazon Redshift Serverless is encrypted by default. However, Amazon Redshift Serverless supports changing the AWS KMS key for the namespace so you can adhere to your organization's security policies. When you change the AWS KMS key, the data remains unchanged.

Consider the following when changing the AWS KMS key:

  • The time it takes to change the key depends on the amount of data in Amazon Redshift Serverless. It typically takes fifteen minutes per 8 TB of stored data.
  • You can’t change from a customer managed KMS Key to an AWS KMS key. If you want to use an AWS KMS key after creating a customer managed KMS Key, you must create a new namespace.
  • You can’t perform other actions while the key is being changed.

To change the AWS KMS key for the namespace, do the following:

  1. Open the Amazon Redshift console.
  2. In the navigation pane, choose Namespace configuration, and then choose your namespace from the list.
  3. From the Security and encryption tab, choose Edit.
  4. Choose Customize encryption settings and then choose a key for the namespace or create a new key.

To change the AWS KMS key for the namespace using the AWS CLI, run the following update-namespace command:

Note: You must have a namespace created or the AWS CLI command results in an error.

aws redshift-serverless update-namespace
--namespace-name
[--kms-key-id <id-of-kms-key>]
// other parameters omitted here

Did this article help?


Do you need billing or technical support?