Using Amazon KMS with the Amazon Redshift Data API - Amazon Redshift
Using grants in Amazon KMSKey policies for your customer managed keyData API encryption context
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Redshift will no longer support the creation of new Python UDFs starting November 1, 2025. If you would like to use Python UDFs, create the UDFs prior to that date. Existing Python UDFs will continue to function as normal. For more information, see the blog post .

Using Amazon KMS with the Amazon Redshift Data API

When you encrypt your Amazon Redshift cluster or Redshift Serverless workgroup with a customer managed key, the Amazon Redshift Data API uses that same customer managed key to store and encrypt your queries and results.

The Data API encrypts your data by default to protect sensitive information, such as query text and query results. It uses Amazon KMS encryption keys owned by Amazon for this protection.

Default encryption for data at rest reduces operational overhead and complexity when you protect sensitive data. This approach helps you build secure applications that meet strict encryption compliance and regulatory requirements.

Using grants in Amazon KMS

The Data API requires a grant to use your customer managed key.

When you call ExecuteStatement or BatchExecuteStatement against a cluster encrypted with a customer managed key, Amazon Redshift creates a grant on your behalf by sending a CreateGrant request to Amazon KMS. Amazon KMS uses grants to give the Data API access to a KMS key in your account.

The Data API requires the grant to use your customer managed key for the following operations:

  • Send Encrypt requests to Amazon KMS to encrypt query metadata with your customer managed key.

  • Send GenerateDataKey requests to Amazon KMS to generate data keys encrypted by your customer managed key.

  • Send Decrypt requests to Amazon KMS to decrypt the encrypted data keys so they can encrypt your data.

You can revoke access to the grant or remove Amazon Redshift access to your customer managed key at any time. If you do, the Data API can no longer access data encrypted by your customer managed key, which affects operations that depend on that data. For example, if you try to retrieve query results or track query status after revoking the grant, the Data API returns an AccessDeniedException.

Key policies for your customer managed key

Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see Customer managed keys in the Amazon Key Management Service Developer Guide.

To use your customer managed keys with the Data API, you must first allow access to Amazon Redshift. The following API operations must be permitted in the key policy:

  • kms:CreateGrant – Adds a grant to a customer managed key. Grants control access to a specified Amazon KMS key, which allows access to grant operations that Amazon Redshift requires. For more information, see Using grants in Amazon KMS.

The following is an example key policy:

"Statement":[
   {
      "Sid":"Allow access to principals authorized to use Amazon Redshift",
      "Effect":"Allow",
      "Principal":{
         "AWS":"*"
      },
      "Action":[
         "kms:DescribeKey",
         "kms:CreateGrant"
      ],
      "Resource":"*",
      "Condition":{
         "StringEquals":{
            "kms:ViaService":"redshift.amazonaws.com",
            "kms:CallerAccount":"111122223333"
         }
      }
   },
   {
      "Sid":"AllowKeyAdministratorsAccess",
      "Effect":"Allow",
      "Principal":{
         "AWS":"arn:aws:iam::111122223333:role/ExampleAdminRole"
      },
      "Action":"kms:*",
      "Resource":"*"
   },
   {
      "Sid":"AllowKeyUseForExampleRole",
      "Effect":"Allow",
      "Principal":{
         "AWS":"arn:aws:iam::111122223333:role/ExampleUserRole"
      },
      "Action":[
         "kms:Encrypt",
         "kms:Decrypt",
         "kms:ReEncrypt*",
         "kms:GenerateDataKey*",
         "kms:DescribeKey"
      ],
      "Resource":"*"
   }
]

Data API encryption context

An encryption context is an optional set of key-value pairs that contains additional contextual information about the data. Amazon KMS uses the encryption context as additional authenticated data to support authenticated encryption. When you include an encryption context in a request to encrypt data, Amazon KMS binds the encryption context to the encrypted data. To decrypt the data, you must include the same encryption context in the request.

The Data API uses the same three encryption context key-value pairs in all Amazon KMS cryptographic operations for provisioned clusters:

  • aws:redshift:arn – The cluster's Amazon Resource Name (ARN)

  • aws:redshift:createtime – The timestamp when you requested cluster creation

  • serviceNameRedshiftDataAPI

"EncryptionContextSubset": {
    "aws:redshift:arn": "arn:aws:redshift:us-east-1:123456789012:cluster:redshift-cluster",
    "aws:redshift:createtime": "20250815T0000Z",
    "serviceName": "RedshiftDataAPI",
}

The Data API uses two encryption context key-value pairs in all Amazon KMS cryptographic operations for serverless workgroups:

  • aws:redshift-serverless:arn – The namespace's Amazon Resource Name (ARN)

  • serviceName – RedshiftDataAPI

"EncryptionContextSubset": {
    "aws:redshift-serverless:arn": "arn:aws:redshift-serverless:us-east-1:123456789012:namespace:12345678-1234-1234-1234-123456789012",
    "serviceName": "RedshiftDataAPI"
}

For more information about encryption, see Introduction to the cryptographic details of Amazon KMS. For more information about the Amazon Redshift and Amazon KMS integration, see How Amazon Redshift uses Amazon KMS.