Ensure that your Redshift clusters are using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the Redshift service when there are no customer keys defined) in order to have more granular control over your data-at-rest encryption/decryption process.
When you define and use your own KMS CMK customer-managed keys to protect the Amazon Redshift data, you gain full control over who can use these keys to access the clusters data (including the system metadata and any automated and manual snapshots). The AWS KMS service allows you to create, rotate, disable and audit CMK encryption keys for your clusters.
To determine your Amazon Redshift clusters encryption status and configuration, perform the following:
To encrypt an existing Redshift cluster with KMS CMK customer-managed keys you must unload the data from it to an AWS S3 bucket then load this data in a new cluster with the chosen encryption configuration set. To set up the new Redshift cluster, enable encryption using KMS CMKs, and move your existing cluster data to it, perform the following: