Ensure all Redshift clusters are encrypted with Customer-managed KMS key.


In Amazon Redshift, you can enable database encryption for your clusters to help protect data at rest. When you enable encryption for a cluster, the data blocks and system metadata are encrypted for the cluster and its snapshots.Encryption is enabled during the cluster launch process.To go from an unencrypted cluster to an encrypted cluster or the other way around, unload your data from the existing cluster and reload it in a new cluster with the chosen encryption setting.


Perform the following to encrypt an existing Redshift cluster with KMS CMK customer-managed keys you must unload the data from it to an AWS S3 bucket then load this data in a new cluster with the chosen encryption configuration set. To set up the new Redshift cluster, enable encryption using KMS CMKs, and move your existing cluster data to it.

  1. Navigate to the Redshift dashboard at
  2. In the left navigation panel, under Redshift Dashboard, click Clusters.
  3. Click Launch Cluster button from the dashboard top menu to start the cluster setup process.
  4. On the Cluster Details configuration page, enter a unique name for your new cluster in the Cluster Identifier field and fill out the rest of the fields available on this page with the information taken from your existing (unencrypted or encrypted with the default key) cluster.
  5. Click the Continue button to continue the setup process.
  6. On the Node Configuration page, select the appropriate node type for the new cluster from the Node Type dropdown list and configure the number of nodes used to match the existing cluster configuration.
  7. Click Continue.
  8. On the Additional Configuration page, in the first configuration section, select KMS next to Encrypt Database. Choose the name of your KMS CMK key from the Master Key dropdown list to encrypt the new Redshift cluster using your own customer-managed key. Configure the rest of the options available on the Additional Configuration page to reflect the existing cluster configuration.
  9. Click Continue to load the next page.
  10. On the Review page, review the cluster properties, its database details, the security and encryption configuration, then click Launch Cluster to build the new AWS Redshift cluster.
  11. On the confirmation page click Close to return to the dashboard. Once the Cluster Status value changes to available and the DB Health status changes to healthy, the new cluster can be used to load the existing data.
  12. Now unload your data from the former Redshift cluster and reload it into the newly created cluster using the Amazon Redshift Unload/Copyutility. With this utility tool you can unload (export) your data from the unencrypted cluster (source) to an AWS S3 bucket, encrypt it, then import the data into your new cluster (destination) and clean up the S3 bucket used. All the necessary instructions to install, configure and use the Amazon Redshift Unload/Copy tool can be found at this URL.
  13. As soon as the migration process is completed and all the data is loaded into your new Redshift cluster (encrypted with the KMS CMK key), you can update your application configuration to refer to the new cluster endpoint.
  14. Once the Redshift cluster endpoint is changed within your application configuration, you can remove the former (i.e. the unencrypted or encrypted with the default key) cluster from your AWS account by performing the following actions:
    1. In the navigation panel, under Redshift Dashboard, click Clusters.
    2. Choose the Redshift cluster that you want to remove then click on its identifier link listed in the Cluster column.
    3. On the selected cluster Configuration tab, click the Cluster dropdown button from the dashboard main menu then select Delete from the dropdown list.
    4. Inside the Delete Cluster dialog box, enter a unique name for the final snapshot in the Snapshot name box then click Delete to confirm the action. Once the snapshot is created the former cluster removal process begins.
  15. Repeat steps no. 1 – 14 to enable data-at-rest encryption for other Redshift clusters launched in the current region using KMS CMK customer-managed keys.
  16. Change the AWS region from the navigation bar and repeat the entire process for other regions.




3. <a href="







We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!