Connections > Amazon Redshift V2 connection properties > Enable encryption

Enable encryption

You can enable server-side encryption in the Amazon Redshift V2 connection for staging data in Amazon S3.

To enable server-side encryption, create an AWS Key Management Service (AWS KMS)-managed customer master key.

Generate the customer master key ID for the same region where your Amazon S3 staging bucket resides.

For more information about generating a customer master key, see the AWS documentation.

To enable encryption with the customer master key, you need to create a minimal KMS policy. You can specify the customer master key ID when you create an Amazon Redshift V2 connection.

Create a minimal policy for using AWS KMS

To use the AWS Key Management Service (AWS KMS)-managed customer master key and enable the encryption with KMS, you must create a KMS policy.

You can perform the following operations to enable encryption with KMS:

•GenerateDataKey
•DescribeKey
•Encrypt
•Decrypt
•ReEncrypt

Sample policy:

{
"Version":"2012-10-17",
"Statement":[
{ "Effect":"Allow",
"Action":
[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ],
"Resource": ["arn:aws:kms:region:account:key/<KMS_key>"]
}
]
}

When you configure KMS and access an Amazon S3 endpoint in the China region, use the following sample policy:

{
"Version":"2012-10-17",
"Statement":[
{ "Effect":"Allow",
"Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ],
"Resource": ["arn:aws-cn:kms:region:account:key/<KMS_key>"]
}
]
}