You can enable client-side and server-side encryption in the Amazon Redshift V2 connection for staging data in Amazon S3.
You can also configure encryption in the Amazon Redshift V2 Source and Target transformations in a mapping. For more information on how to configure encryption in the mapping, see the topics "Data encryption in Amazon Redshift V2 sources" and "Data encryption in Amazon Redshift V2 targets."
Complete the prerequisites based on the type of encryption that you want to configure in the Amazon Redshift V2 connection.
Client-side encryption
Client-side encryption requires a 256-bit AES encryption key in the Base64 format. You can generate a key using a third-party tool.
Specify the key value in the Master Symmetric Key field when you create an Amazon Redshift V2 connection.
Server-side encryption
To enable server-side encryption, create an AWS Key Management Service (AWS KMS)-managed customer master key.
Generate the customer master key ID for the same region where your Amazon S3 staging bucket resides. For more information about generating a customer master key, see the AWS documentation.
To enable encryption with the customer master key, you need to create a minimal KMS policy. You can specify the customer master key ID when you create an Amazon Redshift V2 connection.
Note: You cannot configure server-side encryption with the master symmetric key and client-side encryption with the customer master key.
Create a minimal policy for using AWS KMS
To use the AWS Key Management Service (AWS KMS)-managed customer master key and enable the encryption with KMS, you must create a KMS policy.
You can perform the following operations to enable encryption with KMS: