How to Enable Encryption in Transit in Amazon Redshift

How do I enable encryption in transit for Amazon Redshift?

Encryption in transit forces all Redshift client connections to use SSL/TLS, protecting data while it moves across the network.

Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)

Oops! Something went wrong while submitting the form.

Description

Example H2

Example H3

What does “encryption in transit” mean for Redshift?

Encryption in transit ensures every byte sent between your application and Redshift travels inside an SSL/TLS tunnel. It prevents attackers from sniffing credentials, SQL text, or result sets.

How do I require SSL on a Redshift cluster?

Create or edit a parameter group and set require_ssl to 1, then reboot the cluster. From that point, only SSL connections are accepted.

Which client settings enforce SSL?

psql needs sslmode=require.JDBC/ODBC need ssl=true (and optionally sslfactory=com.amazon.redshift.ssl.NonValidatingFactory if you skip certificate validation).

How can I verify my session is encrypted?

Run SELECT ssl_cipher FROM stl_connection_log WHERE pid = pg_backend_pid();. A non-NULL cipher confirms SSL.

Can I still query my ecommerce tables?

Yes.After SSL handshake, SQL works normally—e.g., SELECT * FROM Customers LIMIT 10; runs exactly the same.

Best practices for production environments

Always rotate certificates, pin the Amazon root CA in apps, and monitor stl_connection_log for non-SSL attempts.

How do I disable non-SSL ports on the network layer?

Limit your Redshift security group to port 5439 and require SSL inside the cluster; block other ports entirely.

What tools help audit encryption compliance?

AWS Config rules, CloudTrail events, and Redshift system views (stv_recents, stl_connection_log) reveal whether plaintext connections ever occur.

Why How to Enable Encryption in Transit in Amazon Redshift is important

How to Enable Encryption in Transit in Amazon Redshift Example Usage


-- Sample encrypted query against ecommerce schema
-- Connection string already uses sslmode=require
SELECT c.name,
       o.order_date,
       o.total_amount
FROM   Customers c
JOIN   Orders   o ON o.customer_id = c.id
WHERE  o.order_date >= CURRENT_DATE - INTERVAL '30 days'
ORDER  BY o.order_date DESC;

How to Enable Encryption in Transit in Amazon Redshift Syntax


-- 1. Enable requirement in parameter group
ALTER PARAMETER GROUP my_rs_pg SET require_ssl = 1;
-- Reboot cluster after applying.

-- 2. psql connection string
PGPASSWORD=secret psql \
  "host=redshift-cluster.company.com port=5439 dbname=prod user=analytics sslmode=require"

-- 3. JDBC example
jdbc:redshift://redshift-cluster.company.com:5439/prod?ssl=true&sslmode=require

-- 4. Verify encryption
SELECT ssl_cipher
FROM   stl_connection_log
WHERE  pid = pg_backend_pid();

Common Mistakes

Relying on the default parameter group. Default groups cannot be edited, so require_ssl stays off. Fix: copy the group, set require_ssl=1, attach, reboot.
Passing ssl=true but forgetting sslmode=require. Some drivers fall back to plaintext if the server allows it. Fix: always combine ssl=true with sslmode=require or verifyFull.