Description:
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a petabyte or more. This enables you to use your data to acquire new insights for your business and customers.
Rationale:
By encrypting all of your data at rest with encryption keys maintained in AWS Key Management Service (AWS KMS), Redshift encryption provides greater security. This feature aids in reducing the operational burden and complexity of safeguarding sensitive data.
Impact:
With encrypting snapshots, Redshift transparently encrypts all customer data in Cluster backups. Redshift automatically takes incremental snapshots that track changes to the cluster since the previous automated snapshot. Automated snapshots retain all of the data required to restore a cluster from a snapshot.
Default value:
Redshift snapshots will be encrypted if the source redshift cluster is encrypted.
Pre-Requisite:
Have a Redshift storage
Remediation:
Test Plan:
Using AWS Console:
Step 1: Login to the AWS Management Console.
Step 2: Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.
Step 3: In the left navigation panel, under Redshift Dashboard, click Clusters.
Step 4: Choose the Redshift cluster that you want to examine then click on its identifier (name) link: listed in the Cluster column.
Step 5: Choose Properties, verify the Encryption property status: if it is disabled please follow implementation steps.
Using AWS CLI:
aws redshift describe-clusters --region us-east-1 --cluster-identifier cc-cluster --query 'Clusters[*].Encrypted'
Implementation Plan:
Using AWS Console:
Redshift backups are automatically encrypted with the same encryption key that was used to encrypt the source cluster. It means if the RedShift cluster is encrypted, its backups are also automatically encrypted.
To enable encryption for the Redshift cluster follow the steps
Step 1: Login to the AWS Management Console.
Step 2: Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.
Step 3: In the left navigation panel, under Redshift Dashboard, click Clusters.
Step 4: Then choose the cluster that you want to encrypt and click on it.
Step 5: Go to the Properties tab.
Step 6: Click Edit, and then choose Edit encryption.
Step 7: Choose Use AWS Key Management Service (AWS KMS) or Use a hardware security module (HSM).
Step 8: Click on Save Changes.
Using AWS CLI:
> aws redshift modify-cluster --cluster-identifier <value> --encrypted --kms-key-id <value>
Note: Your default KMS key is used by default. To use a customer-managed key, include the kms-key-id option and replace value with your KMS key.
Backout Plan:
If the encryption is not required you can disable the encryption.
Using AWS Console:
Step 1: Login to the AWS Management Console.
Step 2: Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.
Step 3: In the left navigation panel, under Redshift Dashboard, click Clusters.
Step 4: Then choose the cluster that you want to disable encrypt and click on it.
Step 5: Go to the Properties tab.
Step 6: Click Edit, and then choose Edit encryption.
Step 7: Choose Disable option, click on Save Changes.
Using AWS CLI:
To remove encryption from your cluster, run the following CLI command.
aws redshift modify-cluster --cluster-identifier <value> --no-encrypted