Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Changing cluster encryption
You can modify an unencrypted cluster to use Amazon Key Management Service (Amazon KMS) encryption, using
either an Amazon-managed key or a customer managed key. When you modify your cluster to enable
Amazon KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster. You
can also migrate an unencrypted cluster to an encrypted cluster by modifying the
cluster.
During the migration operation, your cluster is available in read-only mode, and the
cluster status appears as resizing.
If your cluster is configured to enable cross-Amazon Region snapshot copy, you must
disable it before changing encryption. For more information, see Copying a snapshot to another Amazon
Region
and Configuring cross-Region snapshot copy
for an Amazon KMS–encrypted cluster. You can't enable hardware
security module (HSM) encryption by modifying the cluster. Instead, create a new,
HSM-encrypted cluster and migrate your data to the new cluster. For more information,
see Migrating to an HSM-encrypted
cluster.
- Amazon Redshift console
-
-
Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console at
https://console.amazonaws.cn/redshiftv2/.
-
On the navigation menu, choose Clusters, then
choose the cluster that you want to modify encryption.
-
Choose Properties.
-
In the Database configurations section,
choose Edit, then choose Edit
encryption.
-
Choose one of the encryption options and choose Save
changes.
- Amazon CLI
-
To modify your unencrypted cluster to use Amazon KMS, run the
modify-cluster
CLI command and specify
–-encrypted
, as shown following. By default, your default
KMS key is used. To specify a customer managed key, include the
--kms-key-id
option.
aws redshift modify-cluster --cluster-identifier <value> --encrypted --kms-key-id <value>
To remove encryption from your cluster, run the following CLI
command.
aws redshift modify-cluster --cluster-identifier <value> --no-encrypted