Considerations for Implementing Encryption at Rest for AWS Redshift Cluster | BDS-C00 Exam
Question
A company currently has a Redshift cluster in place.
The cluster consists of tables in a star schema format.
Cross region snapshots are also currently configured to ensure the cluster is available in the event of disaster recovery.
There is a now a requirement that the cluster data needs to be encrypted at rest.
You are currently planning for the implementation of these changes.
Which of the following would you need to consider in the implementation plan? Choose 2 answers from the options given below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B and C.
The AWS Documentation mentions the following.
You can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption, using either an AWS-managed key or a customer-managed key (CMK)
When you modify your cluster to enable KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster.
You can also migrate an unencrypted cluster to an encrypted cluster by modifying the cluster.
During the migration operation, your cluster is available in read-only mode, and the cluster status appears as resizing.
If your cluster is configured to enable cross-region snapshot copy, you must disable it before changing encryption.
Options A and D are incorrect since the service itself will copy the data to an encrypted cluster.
For more information on changing the cluster encryption, please refer to the below URL.
https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.htmlNote:
Changing Cluster Encryption.
You can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption, using either an AWS-managed key or a customer-managed key (CMK)
When you modify your cluster to enable KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster.
You can also migrate an unencrypted cluster to an encrypted cluster by modifying the cluster.
During the migration operation, your cluster is available in read-only mode, and the cluster status appears as resizing.
If your cluster is configured to enable cross-AWS Region snapshot copy, you must disable it before changing encryption.
For more information, see Copying Snapshots to Another Region and Configure Cross-Region Snapshot Copy for an AWS KMS-Encrypted Cluster.
You can't enable hardware security module (HSM) encryption by modifying the cluster.
Instead, create a new, HSM-encrypted cluster and migrate your data to the new cluster.
For more information, see Migrating to an HSM-Encrypted Cluster.
Please check below AWS docs for more details,
https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.htmlThe requirement to encrypt the Redshift cluster data at rest can be fulfilled by enabling encryption for the Redshift cluster. However, there are certain considerations that need to be taken into account during the implementation plan.
Option A: Ensuring that the data is UNLOADED to S3 prior to the encryption process Enabling encryption for a Redshift cluster requires creating a new cluster with the encryption option enabled. The existing cluster data needs to be migrated to the new encrypted cluster. However, unloading the data to S3 is not a mandatory step in this process. The new encrypted cluster can be created, and the data can be migrated to the new cluster using the COPY command. During the COPY command, the data will be encrypted and loaded into the new cluster.
Option B: Ensuring that an OUTAGE interval is kept in mind for the migration process Migrating data from the existing Redshift cluster to the new encrypted cluster requires downtime. During the migration, the data cannot be accessed, and the cluster will not be available. Therefore, an outage interval needs to be kept in mind for the migration process. The outage interval can be minimized by pre-processing the data to remove unwanted data, and using parallel processing to migrate the data.
Option C: Disabling cross-region snapshots Cross-region snapshots are a disaster recovery mechanism used to ensure the availability of the Redshift cluster in the event of a disaster. Enabling encryption for the Redshift cluster does not require disabling cross-region snapshots. The snapshots will continue to work, and the data will be encrypted at rest.
Option D: Ensure new encrypted EBS volumes are create for the cluster. Enabling encryption for a Redshift cluster requires creating a new cluster with encryption enabled. The new cluster will use encrypted EBS volumes for storing the data. The existing EBS volumes used by the current Redshift cluster cannot be encrypted. Therefore, new encrypted EBS volumes need to be created for the new encrypted Redshift cluster.
In conclusion, the considerations that need to be taken into account during the implementation of encryption for a Redshift cluster are:
- Ensuring an outage interval is kept in mind for the migration process
- Creating new encrypted EBS volumes for the new encrypted Redshift cluster.
