Securing Data at Rest in Amazon Redshift - Best Practices

Encrypting Data at Rest in Amazon Redshift

Prev Question Next Question

Question

A company is using a Redshift cluster as its data warehouse solution.

There is a requirement from the Internal IT Security team to ensure that data gets encrypted at rest for the Redshift database.

How can this be achieved?

Answers

A. Encrypt the EBS volumes of the underlying EC2 Instances.

B. Encrypt the Redshift cluster using AWS KMS Customer Master Key.

C. Use SSL/TLS for encrypting the data.

D. Use S3 Encryption.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because the requirement asks for encrypting the redshift database cluster and not the EBS of underlying EC2 machines.

Option B is CORRECT because Amazon Redshift uses a hierarchy of encryption keys to encrypt the database.

You can use either AWS Key Management Service (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy.

Option C is incorrect because using SSL/TLS will encrypt the objects in transit but not objects at rest.

Option D is incorrect because S3 encryption is used only for objects in S3 buckets.

For more information on Redshift encryption, kindly refer to the following URL:

https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html

The correct answer for this question is B - Encrypt the Redshift cluster using AWS KMS Customer Master Key.

Explanation: Redshift is a fully managed data warehouse service in AWS that enables users to analyze large datasets using SQL and BI tools. By default, data in Redshift is encrypted in transit using SSL/TLS, but it is not encrypted at rest. AWS provides multiple ways to encrypt data at rest in Redshift, but the most recommended method is to use AWS Key Management Service (KMS).

KMS is a fully managed service that allows users to create and control the encryption keys used to encrypt their data. Users can create Customer Master Keys (CMKs) in KMS or use the default CMKs provided by AWS. These CMKs can be used to encrypt data in multiple AWS services, including Redshift.

To encrypt data at rest in Redshift using KMS, users can follow these steps:

Create a CMK in KMS or use the default CMK provided by AWS.
Enable Encryption at rest for the Redshift cluster by selecting the KMS key to use for encryption.
Redshift will use this KMS key to encrypt all data at rest, including backups and snapshots.

Note that encrypting the EBS volumes of the underlying EC2 instances (option A) or using S3 encryption (option D) do not directly encrypt data in Redshift. Encrypting EBS volumes only protects the underlying infrastructure and not the data stored in Redshift, while S3 encryption is used for storing data in S3 and not Redshift.

Using SSL/TLS (option C) encrypts data in transit but does not encrypt data at rest in Redshift.

Therefore, the correct answer is option B - Encrypt the Redshift cluster using AWS KMS Customer Master Key.

Prev Question Next Question