メニュー
Amazon Redshift
管理ガイド (API Version 2012-12-01)

コンソールを使用したデータベース暗号化の設定

Amazon Redshift console を使用すると、HSM を使用して暗号化キーを更新するように Amazon Redshift を設定できます。AWS KMS 暗号化キーまたは HSM 設定を使用してクラスターを作成する詳細な方法については、クラスターの作成 およびAmazon Redshift CLI および API を使用してクラスターを管理する を参照してください。

Amazon Redshift console を使用し、HSM を使用するように Amazon Redshift を設定する

次の手順を使用すると、Amazon Redshift console を使用して Amazon Redshift の HSM 接続と構成情報を指定できます。

To create an HSM Connection

  1. AWS マネジメントコンソールにサインインし、Amazon Redshift コンソール(https://console.aws.amazon.com/redshift/)を開きます。

  2. In the left navigation pane, click Security, and then click the HSM Connections tab.

  3. Click Create HSM Connection.

  4. On the Create HSM Connection page, type the following information:

    1. In the HSM Connection Name box, type a name to identify this connection.

    2. In the Description box, type a description about the connection.

    3. In the HSM IP Address box, type the IP address for your HSM.

    4. In the HSM Partition Name box, type the name of the partition that Amazon Redshift should connect to.

    5. In the HSM Partition Password box, type the password that is required to connect to the HSM partition.

    6. Copy the public server certificate from your HSM and paste it in the Paste the HSM's public server certificate here box.

    7. Click Create.

  5. After the connection is created, you can create an HSM client certificate. If you want to create an HSM client certificate immediately after creating the connection, click Yes and complete the steps in the next procedure. Otherwise, click Not now to return to the list of HSM connections and complete the remainder of the process at another time.

To create an HSM client certificate

  1. AWS マネジメントコンソールにサインインし、Amazon Redshift コンソール(https://console.aws.amazon.com/redshift/)を開きます。

  2. In the left navigation pane, click Security, and then click the HSM Certificates tab.

  3. Click Create HSM Client Certificate.

  4. On the Create HSM Client Certificate page, type a name in the HSM Client Certificate Identifier box to identify this client certificate.

  5. Click Next.

  6. After the certificate is created, a confirmation page appears with information to register the key on your HSM. If you do not have permission to configure the HSM, coordinate the following steps with an HSM administrator.

    1. On your computer, open a new text file.

    2. In the Amazon Redshift console, on the Create HSM Client Certificate confirmation page, copy the public key.

    3. Paste the public key into the open file and save it with the file name displayed in step 1 from the confirmation page. Make sure that you save the file with the .pem file extension, for example: 123456789mykey.pem.

    4. Upload the .pem file to your HSM.

    5. On the HSM, open a command-prompt window and run the commands listed in step 4 on the confirmation page to register the key. The command uses the following format, with ClientName, KeyFilename, and PartitionName being values you need to replace with your own:

      client register -client ClientName -hostname KeyFilename

      client assignPartition -client ClientName -partition PartitionName

      For example:

      client register -client MyClient -hostname 123456789mykey

      client assignPartition -client MyClient -partition MyPartition

    6. After you register the key on the HSM, click Next.

  7. After the HSM client certificate is created and registered, click one of the following buttons:

    1. Launch a Cluster with HSM. This option starts the process of launching a new cluster. During the process, you can select an HSM to store encryption keys. For more information about the launch cluster process, see コンソールを使ったクラスターの管理.

      Create an HSM Connection. This option starts the Create HSM Connection process.

      View Certificates. This option returns you to HSM in the navigation pane and displays a list of client certificates on the Certificates tab.

      Previous. This option returns you to the Create HSM Client Certificates confirmation page.

      Close. This option returns you to HSM in the navigation pane and displays a list of HSM connections on the Connections tab.

To display the public key for an HSM client certificate

  1. AWS マネジメントコンソールにサインインし、Amazon Redshift コンソール(https://console.aws.amazon.com/redshift/)を開きます。

  2. In the navigation pane, click Security, and then click the HSM Certificates tab.

  3. Click the HSM client certificate to display the public key. This key is the same one that you added to the HSM in the procedure preceding procedure, To create an HSM client certificate

To delete an HSM connection

  1. AWS マネジメントコンソールにサインインし、Amazon Redshift コンソール(https://console.aws.amazon.com/redshift/)を開きます。

  2. In the left navigation pane, click Security, and then click the HSM Connections tab.

  3. Click the HSM connection that you want to delete.

  4. In the Delete HSM Connection dialog box, click Delete to delete the connection from Amazon Redshift, or click Cancel to return to the HSM Connections tab without deleting the connection.

To delete an HSM client certificate

  1. AWS マネジメントコンソールにサインインし、Amazon Redshift コンソール(https://console.aws.amazon.com/redshift/)を開きます。

  2. In the navigation pane, click Security and select the HSM Certificates tab.

  3. In the list, click the HSM client certificate that you want to delete.

  4. In the Delete HSM Client Certificate dialog box, click Delete to delete the certificate from Amazon Redshift, or click Cancel to return to the Certificates tab without deleting the certificate.

Amazon Redshift console を使用した暗号化キーの更新

Amazon Redshift console を使用して暗号化キーを更新するには、次の手順を使用します。

To rotate an encryption key

  1. AWS マネジメントコンソールにサインインし、Amazon Redshift コンソール(https://console.aws.amazon.com/redshift/)を開きます。

  2. In the navigation pane, click Clusters.

  3. In the list, click the cluster for which you want to rotate keys.

  4. Click Database, and then click Rotate Encryption Keys.

  5. Click Yes, Rotate Keys if you want to rotate the keys or Cancel if you do not.

    注記

    Your cluster will be momentarily unavailable until the key rotation process completes.