Encryption at rest

Server-side encryption is about data encryption at rest—that is, Amazon Redshift optionally encrypts your data as it writes it in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted data.

Amazon Redshift protects data at rest through encryption. Optionally, you can protect all data stored on disks within a cluster and all backups in Amazon S3 with Advanced Encryption Standard AES-256.

To manage the keys used for encrypting and decrypting your Amazon Redshift resources, you use Amazon Key Management Service (Amazon KMS). Amazon KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using Amazon KMS, you can create encryption keys and define the policies that control how these keys can be used. Amazon KMS supports Amazon CloudTrail, so you can audit key usage to verify that keys are being used appropriately. You can use your Amazon KMS keys in combination with Amazon Redshift and supported Amazon services.. For a list of services that support Amazon KMS, see How Amazon Services Use Amazon KMS in the Amazon Key Management Service Developer Guide.

If you choose to manage your provisioned cluster or serverless namespace's admin password using Amazon Secrets Manager, Amazon Redshift also accepts an additional Amazon KMS key that Amazon Secrets Manager uses to encrypt your credentials. This additional key can be an automatically generated key from Amazon Secrets Manager, or a custom key that you provide.

Amazon Redshift query editor v2 securely stores information entered into the query editor as follows:

Amazon Redshift query editor v2 encrypts information using block-level encryption with either your KMS key or the service account KMS key. The encryption of your Amazon Redshift data is controlled by your Amazon Redshift cluster properties.