Profile Applicability:
Level 1
Description:
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. Encryption at rest in Amazon Redshift helps ensure that the data stored in Redshift is secure and meets compliance requirements. When enabled, all data stored in the cluster is encrypted using industry-standard AES-256 encryption.
By default, Amazon Redshift uses Amazon-managed keys (AWS KMS) for encryption, but you can also use your own Customer Master Key (CMK) for more control. Enabling encryption at rest protects sensitive data from unauthorized access and helps you meet regulatory and compliance requirements.
Rationale:
Data Protection: Encryption at rest ensures that data stored in Amazon Redshift is protected against unauthorized access. Even if physical storage media is compromised, encrypted data remains unreadable without the proper decryption keys.
Compliance: Enabling encryption at rest helps organizations meet security and privacy regulations such as GDPR, HIPAA, and PCI-DSS, which often require data to be encrypted at rest.
AWS Integration: Redshift integrates with AWS Key Management Service (KMS) for key management, ensuring that encryption keys are securely stored and controlled.
Security Best Practices: Encryption at rest is a fundamental best practice for data security, reducing the attack surface and mitigating the risk of data exposure.
Impact:
Pros:
Enhanced Security: Encrypting data ensures it is protected from unauthorized access and exposure.
Regulatory Compliance: Meets compliance requirements for industries that mandate data encryption, such as financial services, healthcare, and e-commerce.
Integration with AWS Services: Leverages AWS services like AWS KMS for secure key management, allowing for centralized control over encryption keys.
Cons:
Performance Overhead: Encryption at rest may introduce a slight performance overhead, though AWS optimizes for minimal impact.
Cost: Using AWS KMS for key management may incur additional costs for key usage and management, depending on the volume of requests.
Complexity: Ensuring proper configuration of encryption settings and key management may require additional administrative effort.
Default Value:
By default, Amazon Redshift clusters created after July 2019 are encrypted at rest with Amazon-managed keys. However, if the cluster was created before this, encryption might not be enabled by default. You must explicitly enable encryption during the creation of the cluster or modify existing clusters to ensure that encryption is enabled.
Pre-requisite:
AWS IAM Permissions:
redshift:DescribeClusters
redshift:ModifyCluster
kms:ListAliases
kms:DescribeKey
AWS CLI installed and configured.
AWS KMS should be available if using a Customer Master Key (CMK).
A Redshift cluster that supports encryption at rest (should be created or modified to enable encryption).
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Redshift under Services.
In the Redshift Dashboard, click on Clusters.
Select the cluster you want to check.
Under the Properties section, look for the Encryption setting:
If Encryption at Rest is enabled, it will show as Enabled.
If Encryption at Rest is disabled, it will show as Disabled.
If encryption is disabled, click Modify Cluster and enable Encryption at Rest.
Choose AWS-managed key (KMS) or a Customer Master Key (CMK) from AWS KMS.
Save the changes and verify that the cluster is now encrypted.
Using AWS CLI:
To check if encryption at rest is enabled for a Redshift cluster, run:
aws redshift describe-clusters --query 'Clusters[*].{ClusterId:ClusterIdentifier,Encrypted:Encrypted}'To enable encryption at rest for a Redshift cluster, run:
aws redshift modify-cluster --cluster-identifier <cluster-id> --encrypted --kms-key-id <kms-key-id>
To verify the encryption status:
aws redshift describe-clusters --cluster-identifier <cluster-id> --query 'Clusters[*].Encrypted'
Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console and navigate to Amazon Redshift.
In the Redshift Dashboard, select the Redshift Cluster you want to configure.
Under Cluster Properties, check if Encryption is enabled.
If Encryption at Rest is disabled:
Click Modify.
Select Enable Encryption at Rest.
Choose either AWS KMS Managed Key or a Customer Master Key (CMK) for encryption.
Save the changes. The cluster will be modified and restarted to apply the encryption settings.
Using AWS CLI:
To enable Encryption at Rest during the creation of a new Redshift cluster:
aws redshift create-cluster --cluster-identifier <cluster-id> --node-type <node-type> --master-username <username> --master-user-password <password> --encrypted --kms-key-id <kms-key-id>
To enable encryption for an existing cluster, use the modify-cluster command:
aws redshift modify-cluster --cluster-identifier <cluster-id> --encrypted --kms-key-id <kms-key-id>
Verify that the cluster is encrypted:
aws redshift describe-clusters --cluster-identifier <cluster-id> --query 'Clusters[*].Encrypted'
Backout Plan:
Console Process
Go to the Amazon Redshift Console:
Open the Amazon Redshift console.
Select your cluster from the list.
Check Encryption Status:
In the cluster details, look for the Encryption setting under Cluster Properties.
If encryption is enabled, it will show as Enabled.
CLI Process
Describe the Cluster:
aws redshift describe-clusters --cluster-identifier <cluster-name>
Check the Output:
Look for the Encrypted field in the output.
If it says true, the cluster is encrypted at rest.
Note:
Encryption Key Management: Ensure that KMS keys used for encryption at rest are properly managed and rotated according to your organization's key management policy.
Testing: Before enabling encryption on production clusters, it is advisable to test in a development or staging environment to confirm that encryption does not introduce issues.