Security - Data Warehousing on AWS

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Security

To help provide data security, you can run Amazon Redshift inside a virtual private cloud based on the Amazon Virtual Private Cloud (Amazon VPC) service. You can use the software-defined networking model of the VPC to define firewall rules that restrict traffic based on the rules you configure. Amazon Redshift supports SSL-enabled connections between your client application and your Amazon Redshift data warehouse cluster, which enables data to be encrypted in transit. You can also leverage Enhanced VPC Routing to manage data flow between your Amazon Redshift cluster and other data sources. Data traffic is routed within the AWS network instead of public internet.

The Amazon Redshift compute nodes store your data, but the data can be accessed only from the cluster’s leader node. This isolation provides another layer of security. Amazon Redshift integrates with AWS CloudTrail to enable you to audit all Amazon Redshift API calls. To help keep your data secure at rest, Amazon Redshift supports encryption, and can encrypt each block using hardware-accelerated Advanced Encryption Standard (AES)-256 encryption as each block is written to disk. This encryption takes place at a low level in the I/O subsystem; the I/O subsystem encrypts everything written to disk, including intermediate query results. The blocks are backed up as is, which means that backups are also encrypted. By default, Amazon Redshift takes care of key management, but you can choose to manage your keys using your own hardware security modules, or manage your keys through AWS Key Management Service (AWS KMS).

Database security management is controlled by managing user access, granting the proper privileges to tables and views to user accounts or groups, and leveraging column-level grant and revoke to meet your security and compliance needs in finer granularity.

In addition, Amazon Redshift provides multiple means of authentication to secure and simplify data warehouse access. You can use AWS Identity and Access Management (AWS IAM) within your AWS account. Use federated authentication if you already manage user identifies outside of AWS via SAML-2.0-compatible identity providers to enable your users to access the data warehouse without managing database users and passwords. Amazon Redshift also supports multi-factor authentication (MFA) to provide additional security.