Key management - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Key management

You can configure your environment to protect data with keys:

  • Amazon Redshift automatically integrates with Amazon Key Management Service (Amazon KMS) for key management. Amazon KMS uses envelope encryption. For more information, see Envelope Encryption.

  • When encryption keys are managed in Amazon KMS, Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of randomly generated AES-256 data encryption keys, a database key, a cluster key, and a root key. For more information, see How Amazon Redshift Uses Amazon KMS.

  • You can create your own customer managed key in Amazon KMS. For more information, see Creating Keys.

  • You can also import your own key material for new Amazon KMS keys. For more information, see Importing Key Material in Amazon Key Management Service (Amazon KMS).

  • Amazon Redshift supports management of encryption keys in external hardware security modules (HSMs). The HSM can be on-premises or can be Amazon CloudHSM. When you use an HSM, you must use client and server certificates to configure a trusted connection between Amazon Redshift and your HSM. Amazon Redshift supports only Amazon CloudHSM Classic for key management. For more information, see Encryption for Amazon Redshift using hardware security modules. For information about Amazon CloudHSM, see What is Amazon CloudHSM?

  • You can rotate encryption keys for encrypted clusters.. For more information, see Encryption key rotation in Amazon Redshift.