Amazon Redshift Connectors > Part II: Data Integration with Amazon Redshift V2 Connector > Connections for Amazon Redshift V2 > Enable encryption

Enable encryption

You can enable server-side encryption in the Amazon Redshift V2 connection for staging data in Amazon S3.

You can also configure encryption in the Amazon Redshift V2 Source and Target transformations in a mapping. For more information on how to configure encryption in the mapping, see the topics "Data encryption in Amazon Redshift V2 sources" and "Data encryption in Amazon Redshift V2 targets."

To enable server-side encryption, create an AWS Key Management Service (AWS KMS)-managed customer master key.

Generate the customer master key ID for the same region where your Amazon S3 staging bucket resides.

For more information about generating a customer master key, see the AWS documentation.

To enable encryption with the customer master key, you need to create a minimal KMS policy. You can specify the customer master key ID when you create an Amazon Redshift V2 connection.

Create a minimal policy for using AWS KMS

To use the AWS Key Management Service (AWS KMS)-managed customer master key and enable the encryption with KMS, you must create a KMS policy.

You can perform the following operations to enable encryption with KMS:

•GenerateDataKey
•DescribeKey
•Encrypt
•Decrypt
•ReEncrypt

Sample policy:

{
"Version":"2012-10-17",
"Statement":[
{ "Effect":"Allow",
"Action":
[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ],
"Resource": ["arn:aws:kms:region:account:key/<KMS_key>"]
}
]
}

When you configure KMS and access an Amazon S3 endpoint in the China region, use the following sample policy:

{
"Version":"2012-10-17",
"Statement":[
{ "Effect":"Allow",
"Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ],
"Resource": ["arn:aws-cn:kms:region:account:key/<KMS_key>"]
}
]
}