Amazon Redshift
Cluster Management Guide

Configuring Database Encryption Using the Console

You can use the Amazon Redshift console to configure Amazon Redshift to use an HSM and to rotate encryption keys. For information about how to create clusters using AWS KMS encryption keys, see Creating a Cluster and Manage Clusters Using the Amazon Redshift CLI and API.

Note

A new console is available for Amazon Redshift. Choose either the New Console or the Original Console instructions based on the console that you are using. The New Console instructions are open by default.

New Console

To modify database encryption on a cluster

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. On the navigation menu, choose CLUSTERS, then choose the cluster that you want to move snapshots for.

  3. For Actions, choose Modify to display the configuration page.

  4. In the Database configuration section, choose a setting for Encryption, then choose Modify cluster.

Original Console

Configuring Amazon Redshift to Use an HSM Using the Amazon Redshift console

You can use the following procedures to specify HSM connection and configuration information for Amazon Redshift by using the Amazon Redshift console.

To create an HSM Connection

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security, and then choose the HSM Connections tab.

  3. Choose Create HSM Connection.

  4. On the Create HSM Connection page, type the following information:

    1. In the HSM Connection Name box, type a name to identify this connection.

    2. In the Description box, type a description about the connection.

    3. In the HSM IP Address box, type the IP address for your HSM.

    4. In the HSM Partition Name box, type the name of the partition that Amazon Redshift should connect to.

    5. In the HSM Partition Password box, type the password that is required to connect to the HSM partition.

    6. Copy the public server certificate from your HSM and paste it in the Paste the HSM's public server certificate here box.

    7. Choose Create.

  5. After the connection is created, you can create an HSM client certificate. If you want to create an HSM client certificate immediately after creating the connection, choose Yes and complete the steps in the next procedure. Otherwise, choose Not now to return to the list of HSM connections and complete the remainder of the process at another time.

To create an HSM client certificate

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security, and then choose the HSM Certificates tab.

  3. Choose Create HSM Client Certificate.

  4. On the Create HSM Client Certificate page, type a name in the HSM Client Certificate Identifier box to identify this client certificate.

  5. Choose Next.

  6. After the certificate is created, a confirmation page appears with information to register the key on your HSM. If you do not have permission to configure the HSM, coordinate the following steps with an HSM administrator.

    1. On your computer, open a new text file.

    2. In the Amazon Redshift console, on the Create HSM Client Certificate confirmation page, copy the public key.

    3. Paste the public key into the open file and save it with the file name displayed in step 1 from the confirmation page. Make sure that you save the file with the .pem file extension, for example: 123456789mykey.pem.

    4. Upload the .pem file to your HSM.

    5. On the HSM, open a command-prompt window and run the commands listed in step 4 on the confirmation page to register the key. The command uses the following format, with ClientName, KeyFilename, and PartitionName being values you need to replace with your own:

      client register -client ClientName -hostname KeyFilename

      client assignPartition -client ClientName -partition PartitionName

      For example:

      client register -client MyClient -hostname 123456789mykey

      client assignPartition -client MyClient -partition MyPartition

    6. After you register the key on the HSM, choose Next.

  7. After the HSM client certificate is created and registered, choose one of the following buttons.

    1. Launch a Cluster with HSM. This option starts the process of launching a new cluster. During the process, you can select an HSM to store encryption keys. For more information about the launch cluster process, see Managing Clusters Using the Console.

      Create an HSM Connection. This option starts the Create HSM Connection process.

      View Certificates. This option returns you to HSM in the navigation pane and displays a list of client certificates on the Certificates tab.

      Previous. This option returns you to the Create HSM Client Certificates confirmation page.

      Close. This option returns you to HSM in the navigation pane and displays a list of HSM connections on the Connections tab.

To display the public key for an HSM client certificate

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security, and then choose the HSM Certificates tab.

  3. Choose the HSM client certificate to display the public key. This key is the same one that you added to the HSM in the procedure preceding procedure, To create an HSM client certificate

To delete an HSM connection

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security, and then choose the HSM Connections tab.

  3. Choose the HSM connection that you want to delete.

  4. In the Delete HSM Connection dialog box, choose Delete to delete the connection from Amazon Redshift, or choose Cancel to return to the HSM Connections tab without deleting the connection.

To delete an HSM client certificate

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security and select the HSM Certificates tab.

  3. In the list, choose the HSM client certificate that you want to delete.

  4. In the Delete HSM Client Certificate dialog box, choose Delete to delete the certificate from Amazon Redshift, or choose Cancel to return to the Certificates tab without deleting the certificate.

Rotating Encryption Keys Using the Amazon Redshift console

You can use the following procedure to rotate encryption keys by using the Amazon Redshift console.

Note

A new console is available for Amazon Redshift. Choose either the New Console or the Original Console instructions based on the console that you are using. The New Console instructions are open by default.

New Console

To rotate the encryption keys for a cluster

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. On the navigation menu, choose CLUSTERS, then choose the cluster that you want to update encryption keys.

  3. For Actions, choose Rotate encryption to display the Rotate encryption keys page.

  4. On the Rotate encryption keys page, choose Rotate encryption keys.

Original Console

To rotate an encryption key

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Clusters.

  3. In the list, choose the cluster for which you want to rotate keys.

  4. Choose Database, and then choose Rotate Encryption Keys.

  5. Choose Yes, Rotate Keys if you want to rotate the keys or Cancel if you do not.

    Note

    Your cluster will be momentarily unavailable until the key rotation process completes.