Changing cluster encryption - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Redshift will no longer support the creation of new Python UDFs starting November 1, 2025. If you would like to use Python UDFs, create the UDFs prior to that date. Existing Python UDFs will continue to function as normal. For more information, see the blog post .

Changing cluster encryption

You can modify an unencrypted cluster to use Amazon Key Management Service (Amazon KMS) encryption, using either an Amazon-owned key or a customer managed key. When you modify your cluster to enable Amazon KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster. You can also migrate an unencrypted cluster to an encrypted cluster by modifying the cluster.

During the migration operation, your cluster is available in read-only mode, and the cluster status appears as resizing.

If your cluster is configured to enable cross-Amazon Region snapshot copy, you must disable it before changing encryption. For more information, see Copying a snapshot to another Amazon Region and Configuring cross-Region snapshot copy for an Amazon KMS–encrypted cluster. You can't enable hardware security module (HSM) encryption by modifying the cluster. Instead, create a new, HSM-encrypted cluster and migrate your data to the new cluster. For more information, see Migrating to an HSM-encrypted cluster.

Amazon Redshift console

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console at https://console.amazonaws.cn/redshiftv2/.

  2. On the navigation menu, choose Clusters, then choose the cluster that you want to modify encryption.

  3. Choose Properties.

  4. In the Database configurations section, choose Edit, then choose Edit encryption.

  5. Choose one of the encryption options and choose Save changes.

Amazon CLI

To modify your unencrypted cluster to use Amazon KMS, run the modify-cluster CLI command and specify –-encrypted, as shown following. By default, your default KMS key is used. To specify a customer managed key, include the --kms-key-id option.

aws redshift modify-cluster --cluster-identifier <value> --encrypted --kms-key-id <value>

To remove encryption from your cluster, run the following CLI command.

aws redshift modify-cluster --cluster-identifier <value> --no-encrypted