Use KMS CMK customer-managed keys for Redshift clusters

Use customer-managed KMS keys instead of AWS-managed keys, to have granular control over encrypting and decrypting data. Encrypt Redshift clusters with a Customer-managed KMS key. This is a recommended best practice.

Risk Level: High
Cloud Entity: Amazon Redshift
CloudGuard Rule ID: D9.AWS.CRY.15
Category: Database


Redshift should have dataEncrypted and kmsKeyId


From Portal
Following steps will enable KMS CMK for the desired redshift cluster:

  1. Login to the AWS Management Console.
  2. Select the appropriate AWS region.
  3. Navigate to KMS service at
  4. Click on Customer managed keys in the left navigation panel
  5. Verify the name and key ID of the KMS default key generated for the Redshift service, key identified by the aws/redshift alias.
  6. Now, navigate to Redshift dashboard at
  7. In the navigation panel, under Redshift Dashboard, click Clusters.
  8. Choose the Redshift cluster that you want to modify encryption settings and go click on Properties tab.
  9. Verify the Encryption status (Disabled/enabled) under the Cluster Properties.
  10. Click on edit tab on the right side and go to edit encryption select the customer managed key created already and save it.

Notes: You must enable encryption when you launch the Redshift cluster, before data is placed on it. Encryption on a cluster is immutable, and cannot be reversed.

From TF

resource "aws_redshift_cluster" "test" {
	+ encrypted = true

From Command Line
To turn on encryption for Redshift cluster

aws redshift modify-cluster --cluster-ientifier PUT_VALUE --encrypted -- kms-key-id PUT_VALUE



Amazon Redshift

Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance local disks, and massively parallel query execution. Most results come back in seconds. With Amazon Redshift, you can start small for just $0.25 per hour with no commitments and scale out to petabytes of data for $1,000 per terabyte per year, less than a tenth the cost of traditional solutions.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management