Changing cluster encryption - Amazon Redshift

Changing cluster encryption

You can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption, using either an AWS-managed key or a customer managed key. When you modify your cluster to enable AWS KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster. You can also migrate an unencrypted cluster to an encrypted cluster by modifying the cluster.

During the migration operation, your cluster is available in read-only mode, and the cluster status appears as resizing.

If your cluster is configured to enable cross-AWS Region snapshot copy, you must disable it before changing encryption. For more information, see Copying a snapshot to another AWS Region and Configuring cross-Region snapshot copy for an AWS KMS–encrypted cluster. You can't enable hardware security module (HSM) encryption by modifying the cluster. Instead, create a new, HSM-encrypted cluster and migrate your data to the new cluster. For more information, see Migrating to an HSM-encrypted cluster.

Amazon Redshift console
  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshiftv2/.

  2. On the navigation menu, choose Clusters, then choose the cluster that you want to modify encryption.

  3. Choose Properties.

  4. In the Database configurations section, choose Edit, then choose Edit encryption.

  5. Choose one of the encryption options and choose Save changes.

AWS CLI

To modify your unencrypted cluster to use AWS KMS, run the modify-cluster CLI command and specify –-encrypted, as shown following. By default, your default KMS key is used. To specify a customer managed key, include the --kms-key-id option.

aws redshift modify-cluster --cluster-identifier <value> --encrypted --kms-key-id <value>

To remove encryption from your cluster, run the following CLI command.

aws redshift modify-cluster --cluster-identifier <value> --no-encrypted