Encryption in transit - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encryption in transit

You can configure your environment to protect the confidentiality and integrity data in transit.

Encryption of data in transit between an Amazon Redshift cluster and SQL clients over JDBC/ODBC:

  • You can connect to Amazon Redshift clusters from SQL client tools over Java Database Connectivity (JDBC) and Open Database Connectivity (ODBC) connections.

  • Amazon Redshift supports Secure Sockets Layer (SSL) connections to encrypt data and server certificates to validate the server certificate that the client connects to. The client connects to the leader node of an Amazon Redshift cluster. For more information, see Configuring security options for connections.

  • To support SSL connections, Amazon Redshift creates and installs Amazon Certificate Manager (ACM) issued certificates on each cluster. For more information, see Transitioning to ACM certificates for SSL connections.

  • To protect your data in transit within the Amazon Cloud, Amazon Redshift uses hardware accelerated SSL to communicate with Amazon S3 or Amazon DynamoDB for COPY, UNLOAD, backup, and restore operations.

Encryption of data in transit between an Amazon Redshift cluster and Amazon S3 or DynamoDB:

  • Amazon Redshift uses hardware accelerated SSL to communicate with Amazon S3 or DynamoDB for COPY, UNLOAD, backup, and restore operations.

  • Redshift Spectrum supports the Amazon S3 server-side encryption (SSE) using your account's default key managed by the Amazon Key Management Service (KMS).

  • Encrypt Amazon Redshift loads with Amazon S3 and Amazon KMS. For more information, see Encrypt Your Amazon Redshift Loads with Amazon S3 and Amazon KMS.

Encryption and signing of data in transit between Amazon CLI, SDK, or API clients and Amazon Redshift endpoints:

  • Amazon Redshift provides HTTPS endpoints for encrypting data in transit.

  • To protect the integrity of API requests to Amazon Redshift, API calls must be signed by the caller. Calls are signed by an X.509 certificate or the customer's Amazon secret access key according to the Signature Version 4 Signing Process (Sigv4). For more information, see Signature Version 4 Signing Process in the Amazon Web Services General Reference.

  • Use the Amazon CLI or one of the Amazon SDKs to make requests to Amazon. These tools automatically sign the requests for you with the access key that you specify when you configure the tools.

Encryption of data in transit between Amazon Redshift clusters and Amazon Redshift query editor v2

  • Data is transmitted between query editor v2 and Amazon Redshift clusters over a TLS-encrypted channel.