How to Enable Encryption at Rest in Redshift

Galaxy Glossary

How do I enable encryption at rest in Amazon Redshift?

Encryption at rest secures all data blocks stored in Amazon Redshift by automatically encrypting the cluster s disks and backups with AWS KMS or a customer-managed key.

Sign up for the latest in SQL knowledge from the Galaxy Team!

Description

Why enable encryption at rest?

Protect PII, financial records, and sensitive business metrics from unauthorized disk access. Meet GDPR, HIPAA, and PCI-DSS compliance without application changes.

Does Redshift encrypt data by default?

New RA3 clusters default to AWS-owned KMS keys. For precise control, create a cluster or snapshot copy grant with a customer-managed key (CMK).

How to create a new encrypted cluster?

Use the AWS Console, CLI, or CloudFormation. Supply --encrypted true and --kms-key-id when calling create-cluster.Redshift encrypts system tables, user tables like Customers, Orders, and automatic backups.

Can I encrypt an existing unencrypted cluster?

No direct toggle exists. Snapshot the cluster, then restore it with encryption parameters. Point applications to the new endpoint.

What are the performance impacts?

Encryption uses AES-256 with hardware acceleration. Benchmarking shows <2% overhead on most analytical workloads.

How do I rotate keys?

Enable automatic KMS key rotation or manually create a new CMK and re-encrypt snapshots.Restore snapshots with the new key.

How to audit encryption status?

Query SVL_ENCRYPTED_COLUMNS or use AWS Config rules (redshift-cluster-kms-enabled). CloudTrail logs CMK usage for compliance audits.

Best practices

Store CMKs in separate AWS accounts, enable automatic rotation, restrict kms:Decrypt to Redshift service role, and always back up CMKs.a0

Common mistakes

Forgetting to create snapshot copy grants stops cross-region encrypted backups. Also, missing CMK IAM permissions causes create-cluster failures.a0

.

Why How to Enable Encryption at Rest in Redshift is important

How to Enable Encryption at Rest in Redshift Example Usage


-- Verify encryption status of the Customers table
SELECT tablename, encrypted
FROM pg_table_def
WHERE schemaname = 'public'
  AND tablename = 'customers';

-- Audit which columns contain encrypted data
SELECT *
FROM SVL_ENCRYPTED_COLUMNS
WHERE table_name IN ('customers', 'orders', 'orderitems');

How to Enable Encryption at Rest in Redshift Syntax


aws redshift create-cluster \
  --cluster-identifier ecommerce-prod \
  --node-type ra3.xlplus \
  --number-of-nodes 2 \
  --master-username admin \
  --master-user-password "Str0ngP@ssw0rd" \
  --encrypted true \
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd-ef12-3456-7890-abcd1234ef56

# Restore an unencrypted snapshot with encryption
aws redshift restore-from-cluster-snapshot \
  --snapshot-identifier unencrypted-snap-2024-05-20 \
  --cluster-identifier ecommerce-prod-enc \
  --encrypted true \
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd-ef12-3456-7890-abcd1234ef56

Common Mistakes

Assuming encryption can be toggled on existing clusters. Fix: take a snapshot and restore with --encrypted true and a KMS key.
Granting Redshift insufficient KMS permissions. Fix: attach the AWS-managed policy AmazonRedshiftAllCommandsFullAccess or a custom policy allowing kms:Decrypt.

Frequently Asked Questions (FAQs)

Can I use a customer-managed key instead of the default?

Yes. Pass your CMK ARN in --kms-key-id. Redshift then encrypts data and snapshots with that key.

Does encryption protect Redshift Spectrum external tables?

No. Spectrum relies on the S3 object s encryption. Configure S3 SSE-KMS or client-side encryption separately.

Is there any additional cost?

AWS charges $1 per CMK per month plus $0.03 per 10,000 KMS requests. Redshift performance impact is minimal.

Want to learn about other SQL terms?

dbt tests

dbt tests are declarative assertions in dbt that automatically validate data quality during model builds.

dbt utils

dbt utils is a community-maintained dbt package that adds time-saving utility macros for analytics engineers, such as generating surrogate keys, safely unioning models, and automating date spines.

dbt Tutorial Glossary: Build, Test & Deploy SQL Models

dbt is an open-source framework that lets data teams transform raw warehouse tables into tested, documented, production-ready datasets using version-controlled SQL.

Trusted by top engineers on high-velocity teams

Assort Health

Curri

Rubie