Encrypting Data at Rest in AWS Redshift: Best Practices

Ensure Data Security with Encrypted Data at Rest in AWS Redshift

Prev Question Next Question

Question

Your company has an existing Redshift cluster.

The sales team currently stores historical data in the cluster.

There is now a requirement to ensure that all data is encrypted at rest.

What do you need to do on your end (as of October 2018)?

Answers

A. Enable the encryption feature for the cluster.

B. Enable encryption for the underlying EBS volumes.

C. Use SSL certificates to encrypt the data at rest.

D. Create a new cluster with encryption enabled and then migrate the data over to the new cluster.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

The AWS Documentation mentions the following.

In Amazon Redshift, you can enable database encryption for your clusters to help protect data at rest.

When you enable encryption for a cluster, the data blocks and system metadata are encrypted for the cluster and its snapshots.

Encryption is an optional, immutable setting of a cluster.

If you want encryption, you enable it during the cluster launch process.

As of October 2018, you can enable encryption on an un-encrypted cluster.

AWS will handle migrating the data over to a new, encrypted cluster behind-the-scenes.

Option A is CORRECT because you can now enable encryption for an existing Redshift cluster.

Please refer to the below link-

https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html

Option B is invalid since the encryption needs to be enabled at the cluster level.

Option C is invalid since SSL certificates are used for the encryption of data in transit.

Option D is incorrect because you can now enable encryption for an existing Redshift cluster and therefore creating a new Redshift cluster to enable encryption is unnecessary.

The correct answer to ensure that all data is encrypted at rest in an existing Redshift cluster as of October 2018 is:

A. Enable the encryption feature for the cluster.

Explanation:

Redshift is a data warehouse service provided by Amazon Web Services (AWS). It is used to store and analyze large amounts of data in a highly scalable and cost-effective manner. Data security is crucial when working with sensitive information such as financial data, personally identifiable information (PII), and intellectual property.

AWS provides encryption options to secure data in transit and at rest. In this case, the requirement is to encrypt data at rest. AWS Redshift provides a feature to encrypt data at rest called "Encryption at Rest."

By enabling this feature, all data stored in the Redshift cluster will be encrypted with AES-256 encryption algorithm, including backups and snapshots. The encryption key used for this feature is managed by AWS Key Management Service (KMS), and it is automatically rotated on a regular basis.

Therefore, to fulfill the requirement of ensuring that all data is encrypted at rest in an existing Redshift cluster, you need to enable the encryption feature for the cluster. Options B and C are not applicable in this case as they relate to different types of encryption (encryption for EBS volumes and SSL encryption respectively) and are not the appropriate solution for this requirement. Option D is also not necessary, as creating a new cluster is not required to enable encryption at rest in an existing cluster.

Prev Question Next Question