Encrypting Data in Redshift - Best Practices and Solutions

Encrypting Data in Redshift

Q: A company is using a Redshift cluster to store its data warehouse.There is a requirement from the Internal IT Security team to encrypt data in the Redshift database.How could this be achieved? (SELECT TWO)

Use AWS KMS Customer Default master key.Use hardware security module (HSM) to manage the top-level encryption keys .

Prev Question Next Question

Question

A company is using a Redshift cluster to store its data warehouse.

There is a requirement from the Internal IT Security team to encrypt data in the Redshift database.

How could this be achieved? (SELECT TWO)

Answers

A. Encrypt the EBS volumes of the underlying EC2 Instances.

B. Use AWS KMS Customer Default master key.

C. Use SSL/TLS for encrypting the data.

D. Use hardware security module (HSM) to manage the top-level encryption keys .

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B and D.

AWS documentation mentions the following:

Amazon Redshift uses a hierarchy of encryption keys to encrypt the database.

You can use either AWS Key Management Service (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy.

The process that Amazon Redshift uses for encryption differs depending on how you manage keys.

Option D is correct.

We can use the hardware security module (HSM) to manage the top-level encryption keys for key management with Amazon Redshift.

Reference:

https://aws.amazon.com/blogs/big-data/encrypt-your-amazon-redshift-loads-with-amazon-s3-and-aws-kms/ https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html

To encrypt data in a Redshift database, there are a few options available:

Encrypt the EBS volumes of the underlying EC2 instances: This is a valid option, but it only encrypts the data at rest, meaning that the data is only encrypted when it is not being actively accessed. This does not provide end-to-end encryption.
Use AWS KMS Customer Default master key: This option allows the user to create a master key using AWS KMS (Key Management Service), which is a fully managed service that makes it easy to create and control encryption keys. Using the Customer Default master key, the user can encrypt the data in the Redshift database, and this encryption can be managed by AWS KMS.
Use SSL/TLS for encrypting the data: This option is used for encrypting data in transit, meaning the data is encrypted when it is being transferred from one place to another. SSL/TLS is used to establish a secure connection between the client and the Redshift cluster, and this encryption can be used to encrypt data in transit.
Use hardware security module (HSM) to manage the top-level encryption keys: This option provides the highest level of security for encryption keys. HSM is a hardware device that is designed to securely store encryption keys. Using HSM, the user can manage the top-level encryption keys that are used to encrypt the data in the Redshift database.

Therefore, the correct options to achieve the encryption of data in the Redshift database are:

B. Use AWS KMS Customer Default master key, which encrypts the data at rest and allows for easy management of the encryption.

C. Use SSL/TLS for encrypting the data, which encrypts the data in transit and adds an additional layer of security.

Prev Question Next Question