Ensure that your Amazon Redshift clusters are encrypted in order to meet security and compliance requirements. The Redshift clusters data encryption/decryption is handled transparently by AWS and does not require any additional action from you or your application.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Cloud Conformity strongly recommends implementing encryption when dealing with Redshift clusters that contain sensitive data. Though encryption is an optional, immutable setting within AWS Redshift configuration, you should enable it in order to protect your data from unauthorized access and fulfill compliance requirements for data-at-rest encryption.
To determine your Amazon Redshift clusters encryption status, perform the following:
To encrypt an existing Redshift cluster you must unload the data from it to Amazon S3 then load this data in a new cluster with the chosen encryption setting, configuration settings that gives you have have the ability to choose the encryption key. There are two types of encryption keys - the default KMS key which is managed by AWS and the KMS Customer Managed Key (CMK) which is managed by the customer (you). The encryption key type used in this rule is default KMS (AWS-managed key). To set up the new Redshift cluster, enable encryption, and move your existing cluster data to it, perform the following: