Managing Keys with KMS and Redshift Cluster

Answer: A.

Option A is CORRECT because it provides a current scenario of how AWS KMS works with Redshift.

Option B is incorrect because the master key encrypts the cluster key and not the database key.

Option C is incorrect because the master key encrypts the cluster key, not the data encryption keys.

Option D is incorrect because the master key encrypts the cluster key only.

For more information on how Amazon Redshift uses AWS KMS, kindly refer to the following URL:

When using Amazon Redshift with the AWS Key Management Service (KMS), Redshift encrypts data using a hierarchy of keys. The correct sequence of how KMS manages the keys when used with Redshift is as follows:

B. The master keys encrypt the database key. The database key encrypts the data encryption keys.

Here's a detailed explanation of each component:

1. Master Key: A customer master key (CMK) is a KMS-managed key that encrypts and decrypts the data encryption keys. A Redshift cluster can use multiple CMKs.

2. Database Key: A database encryption key (DEK) is a key generated by Redshift that is used to encrypt a specific database in a cluster. A DEK is encrypted using a CMK before being stored in the system catalog.

3. Data Encryption Key: A data encryption key (DEK) is a key used to encrypt the actual data in a Redshift database. A DEK is generated by Redshift when a table is created or when a column is added to an existing table. The DEK is encrypted using the DEK's corresponding database key (DEK-DB), which is in turn encrypted using the cluster's CMK.

Therefore, in the correct sequence, the master keys encrypt the database key. The database key encrypts the data encryption keys. This sequence ensures that the data is encrypted in a hierarchical fashion, with the highest level of security provided by the master keys, followed by the database key, and finally the data encryption keys.