Migrating from an unencrypted Redshift Cluster to Encrypted

0
votes

I am trying to enable SSE with a Customer-Managed CMK in my production Redshift cluster to follow certain security protocols.

For POC purposes, I spun up a 1 Node dc2.large Redshift cluster and following this doc, I was able to enable SSE.

However, my question is, does enabling SSE encrypt the existing data in the cluster? If not, what steps should be taken?

Overall what are the downsides, if any, of enabling encryption at rest in a production Redshift cluster and what are the best practices?

1
encryptionamazon-redshift
what are the downsides, if any, of enabling encryption at rest - AWS claims there is no performance penalty (or insignificant), you have to make sure any other services or identities accessing the storage will need some permissions for the CMK. - gusto2
Thanks @gusto2. Suppose I have a script in Python that runs on a daily schedule and uses a db user to connect to the cluster. What kind of access / permission will this db user need? - riyaB
I don't thing that the common clients will need any special privileges. It's the activities managing the cluster will need permission to kms:Encrypt, kms:Decrypt and kms:GenerateDataKey see docs.aws.amazon.com/redshift/latest/mgmt/… - gusto2

1 Answers

0
votes

There is no need to change anything in your code or existing pipelines/process. This is Disk encryption. Its nothing to do with your database connections or code.

To know more about the process then read these links.

  1. https://aws.amazon.com/about-aws/whats-new/2018/10/encrypt-amazon-redshift-1-click/
  2. https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html