How do I turn on encryption for existing decrypted Amazon Redshift clusters?

Short description

Amazon Redshift enforces SSL connections by default for clients that connect to newly created provisioned and restored clusters. This default change also applies to serverless workgroups.

You can modify an existing Amazon Redshift unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption. Amazon Redshift Serverless is encrypted by default, but you can change the AWS KMS key for a namespace.

Note: Hardware security module (HSM) encryption isn't supported for DC2 and RA3 node types.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Modify an unencrypted Amazon Redshift cluster to use encryption

To modify an existing Amazon Redshift cluster to use encryption, complete the following steps:

1. Open the Amazon Redshift console.
2. In the navigation pane, choose Clusters, and then choose the cluster that you want to encrypt.
3. Choose Properties.
4. For Database configurations, choose Edit, and then choose Edit encryption.
5. Choose Use AWS Key Management Service (AWS KMS) or Use a hardware security module (HSM). For more information about encryption options, see Amazon Redshift database encryption.

To modify an existing Amazon Redshift cluster to use AWS KMS encryption with the AWS Command Line Interface (AWS CLI), run the following modify-cluster command:

> aws redshift modify-cluster --cluster-identifier <value> --encrypted --kms-key-id <value>

If you include only encrypted in the command, then the default AWS KMS key is used. To use a customer managed KMS key, include the kms-key-id and replace value with your customer managed KMS key ID.

If the cluster has an RA3 node type, then the Amazon Redshift cluster encryption change is performed with faster classic resize. For all other node types, Amazon Redshift performs the encryption change with classic resize.

After encryption is turned on, Amazon Redshift automatically migrates the data to a new encrypted cluster with the same cluster identifier. During this migration operation, the cluster is available in read-only mode, and the cluster status appears as "Resizing".

The length of time for a resize operation varies based on the read workload on the source cluster and the table definition. The node type you're scaling to and from, including skew considerations, also affects resize duration.

Change the AWS KMS key for a namespace in Amazon Redshift Serverless

Amazon Redshift Serverless is encrypted by default. However, you can modify the AWS KMS key for the namespace so you can adhere to your organization's security policies. When you change the AWS KMS key, the data remains unchanged.

You can't change from a customer managed KMS key to an AWS KMS key. If you want to use an AWS KMS key after you create a customer managed KMS key, then you must create a new namespace. You also can't perform other actions while the key changes. The time it takes to change the key depends on the amount of data in Amazon Redshift Serverless. It typically takes 15 minutes for each 8 TB of stored data.

To change the AWS KMS key for the namespace, complete the following steps:

1. Open the Amazon Redshift console.
2. In the navigation pane, choose Namespace configuration, and then choose your namespace from the list.
3. From the Security and encryption tab, choose Edit.
4. Choose Customize encryption settings and then choose a key for the namespace or create a new key.

To change the AWS KMS key for the namespace with the AWS CLI, run the following update-namespace command:

aws redshift-serverless update
-namespace--namespace-name
[--kms-key-id <id-of-kms-key>]
// other parameters omitted here

Note: If you don't have a namespace created, then the AWS CLI command results in an error.