Redshift Cluster Encrypted at Rest
Overview
This check verifies that your Amazon Redshift clusters have encryption at rest enabled. Encryption at rest protects your data by encrypting the storage used for your cluster, including snapshots.
Amazon Redshift uses hardware-accelerated AES-256 encryption, meaning there is no performance penalty for enabling this feature.
Risk
If encryption at rest is not enabled, your data is vulnerable in several scenarios:
- Physical theft: Anyone with access to the underlying storage media could read your data
- Snapshot exposure: Unencrypted snapshots could be copied and accessed by unauthorized parties
- Compliance violations: Many regulations (HIPAA, PCI-DSS, GDPR) require encryption at rest
- Data breach amplification: A single security lapse could expose your entire data warehouse
Severity: Critical
Remediation Steps
Prerequisites
You need:
- Access to the AWS Console with permissions to modify Redshift clusters, or
- AWS CLI installed and configured with appropriate permissions
Required IAM permissions
Your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:ModifyCluster",
"redshift:DescribeClusters"
],
"Resource": "arn:aws:redshift:us-east-1:<account-id>:cluster:<cluster-identifier>"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:<account-id>:key/<key-id>"
}
]
}
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to Amazon Redshift (search for "Redshift" in the search bar)
- In the left navigation, click Clusters
- Click on the cluster you want to encrypt
- Click the Properties tab
- Scroll down to Database configurations
- Click Edit next to the encryption setting
- Select Enable encryption
- Choose your encryption key:
- AWS managed key: Easiest option, AWS manages the key for you
- Customer managed key: Select a KMS key you control for more flexibility
- Click Save changes
Important: Enabling encryption on an existing cluster triggers a cluster migration. Your cluster will be unavailable during this process (typically 30-60 minutes depending on data size).
AWS CLI (optional)
Enable encryption with AWS-managed key
aws redshift modify-cluster \
--cluster-identifier <your-cluster-identifier> \
--encrypted \
--region us-east-1
Enable encryption with a customer-managed KMS key
aws redshift modify-cluster \
--cluster-identifier <your-cluster-identifier> \
--encrypted \
--kms-key-id <your-kms-key-id> \
--region us-east-1
Replace:
<your-cluster-identifier>with your Redshift cluster name<your-kms-key-id>with your KMS key ID or ARN (if using customer-managed key)
Example
aws redshift modify-cluster \
--cluster-identifier my-analytics-cluster \
--encrypted \
--region us-east-1
CloudFormation (optional)
Use this template to create a new encrypted Redshift cluster.
Note: You cannot enable encryption on an existing CloudFormation-managed unencrypted cluster without replacing it. Plan for data migration if needed.
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon Redshift cluster with encryption at rest enabled
Parameters:
ClusterIdentifier:
Type: String
Description: Unique identifier for the Redshift cluster
Default: my-redshift-cluster
MasterUsername:
Type: String
Description: Master username for the cluster
Default: admin
NodeType:
Type: String
Description: Node type for the cluster
Default: dc2.large
AllowedValues:
- dc2.large
- dc2.8xlarge
- ra3.large
- ra3.xlplus
- ra3.4xlarge
- ra3.16xlarge
NumberOfNodes:
Type: Number
Description: Number of nodes in the cluster
Default: 1
MinValue: 1
DatabaseName:
Type: String
Description: Name of the initial database
Default: mydb
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterIdentifier: !Ref ClusterIdentifier
DBName: !Ref DatabaseName
MasterUsername: !Ref MasterUsername
ManageMasterPassword: true
NodeType: !Ref NodeType
NumberOfNodes: !Ref NumberOfNodes
ClusterType: !If
- IsSingleNode
- single-node
- multi-node
Encrypted: true
PubliclyAccessible: false
Port: 5439
Conditions:
IsSingleNode: !Equals [!Ref NumberOfNodes, 1]
Outputs:
ClusterEndpoint:
Description: Redshift cluster endpoint
Value: !GetAtt RedshiftCluster.Endpoint.Address
ClusterPort:
Description: Redshift cluster port
Value: !GetAtt RedshiftCluster.Endpoint.Port
Key property: Encrypted: true enables encryption at rest.
Password handling: This template uses ManageMasterPassword: true which lets AWS Secrets Manager automatically generate and manage the master password securely.
To use a customer-managed KMS key, add:
KmsKeyId: !Ref YourKmsKeyId
Terraform (optional)
Use this configuration to create a new encrypted Redshift cluster.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "cluster_identifier" {
description = "Unique identifier for the Redshift cluster"
type = string
default = "my-redshift-cluster"
}
variable "master_username" {
description = "Master username for the cluster"
type = string
default = "admin"
}
variable "master_password" {
description = "Master password for the cluster"
type = string
sensitive = true
}
variable "node_type" {
description = "Node type for the cluster"
type = string
default = "dc2.large"
}
variable "number_of_nodes" {
description = "Number of nodes in the cluster"
type = number
default = 1
}
variable "database_name" {
description = "Name of the initial database"
type = string
default = "mydb"
}
resource "aws_redshift_cluster" "encrypted_cluster" {
cluster_identifier = var.cluster_identifier
database_name = var.database_name
master_username = var.master_username
master_password = var.master_password
node_type = var.node_type
number_of_nodes = var.number_of_nodes
cluster_type = var.number_of_nodes > 1 ? "multi-node" : "single-node"
# Enable encryption at rest
encrypted = true
# Optional: Use a customer-managed KMS key
# kms_key_id = aws_kms_key.redshift_key.arn
publicly_accessible = false
port = 5439
skip_final_snapshot = true
}
output "cluster_endpoint" {
description = "Redshift cluster endpoint"
value = aws_redshift_cluster.encrypted_cluster.endpoint
}
output "cluster_id" {
description = "Redshift cluster identifier"
value = aws_redshift_cluster.encrypted_cluster.id
}
Key property: encrypted = true enables encryption at rest.
To use a customer-managed KMS key, uncomment and set the kms_key_id attribute.
Verification
After enabling encryption, verify the change was applied:
- Go to Amazon Redshift > Clusters in the AWS Console
- Click on your cluster
- Under the Properties tab, look for Encryption: it should show Enabled
Verify with AWS CLI
aws redshift describe-clusters \
--cluster-identifier <your-cluster-identifier> \
--query 'Clusters[0].Encrypted' \
--region us-east-1
Expected output: true
To see the full encryption details:
aws redshift describe-clusters \
--cluster-identifier <your-cluster-identifier> \
--query 'Clusters[0].{Encrypted:Encrypted,KmsKeyId:KmsKeyId}' \
--region us-east-1
Additional Resources
- Amazon Redshift Database Encryption
- Changing Cluster Encryption
- AWS KMS Keys for Redshift
- AWS Security Hub Redshift Controls
Notes
- New clusters: Always enable encryption when creating a new cluster. There is no performance impact.
- Existing clusters: Enabling encryption requires a cluster migration, which causes downtime. Plan accordingly.
- Snapshots: When you enable encryption, all subsequent snapshots are also encrypted.
- Cross-region copies: Encrypted snapshots can be copied to other regions, but you must specify a KMS key in the destination region.
- Customer-managed keys: For enhanced security and audit capabilities, consider using a customer-managed KMS key instead of the AWS-managed key. This gives you control over key rotation, access policies, and key deletion.