Cloud security is a vital aspect of cloud computing. Organizations want their cloud infrastructure to be completely secure so that they can focus on their business without getting worried about the safety of their deployed resources and workload. Redshift is the data warehouse and analytical service provided by AWS and it is essential to make sure that your redshift cluster is safe from any kind of potential, malicious security threat.
Why AWS Redshift cluster encryption is important for cloud security?
Having explained, what is AWS Redshift & Redshift Cluster in my previous blog, let us now understand why its encryption is important. Users can enable encryption when a new cluster is launched. Users can also modify an existing unencrypted cluster in AWS. AWS provides redshift cluster encryption through KMS (Key Management Service). To encrypt redshift clusters, users can use either an AWS-managed key or a customer-managed key (CMK). When a cluster is modified to enable encryption, AWS automatically migrates the data present in the cluster to a new encrypted cluster. Also, any previously existing snapshots of that clusters get encrypted.
Redshift uses a four-tier, key-based architecture for data which consists of data encryption keys, a database key, a cluster key, and a master key. Data encryption keys encrypt data blocks present in the redshift cluster. Each data block is assigned a randomly generated key. These keys are encrypted using the database key for the cluster. The database key, which is a randomly generated key, encrypts data encryption key in the cluster. It is stored in the disk in a separate network from the redshift cluster and gets passed on to the cluster through a secure channel. The cluster key then encrypts the database key for redshift cluster.
When data is received from an unknown source, then security becomes a major concern as the user would want that no harm is caused to its own data because of any third-party intrusion. This is where cluster encryption plays an important role in encrypting and securing users’ data.
How does Centilytics come into play?
Centilytics lists down all existing clusters and their corresponding encryption status for the users to act against them.
Insight descriptions
There can be 2 possible scenarios:
| Severity | Description |
 OK |
This indication will be displayed when the corresponding redshift cluster has encryption enabled in AWS. |
 CRITICAL |
This indication will be displayed when the corresponding redshift cluster does not have encryption enabled on AWS. |
Description of further columns are as follows:
- Account Id: This column Shows the respective account ID of the user’s account.
- Account Name: This column shows the corresponding account name to the user’s account.
- Region: This column shows the region in which the corresponding redshift cluster exists.
- Identifier: This column shows the name of the corresponding redshift cluster.
- Encryption Status: This column shows the encryption status of the corresponding cluster specifying whether the cluster is encrypted or not. If the cluster is encrypted, then true will be displayed. Otherwise false will be displayed.
Filters applicable:
| Filter Name | Description |
| Account Id | Applying the account Id filter will display data for the selected account Id. |
| Region | Applying region filter will display data according to the selected region. |
| Severity | Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types |
| Resource Tags | Applying resource tags filter will display those resources which have been assigned the selected resource tag. For eg- If the user has tagged some resource by a tag named environment, then selecting an environment from the resource tags filter will display all the data accordingly. |
| Resource Tags Value | Applying resource tags value filter will display data which will have the selected resource tag value. For eg: If the user has tagged some resource by a tag named “environment” and has given it a value say production (environment: production), then the user will be able to view data of all the resources which are tagged as “environment:production”. The user can use the tag value filter only when a tag name has been provided. |
Read more:
[1]. https://docs.aws.amazon.com/redshift/latest/mgmt/welcome.html
[2]. https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html
[3]. https://docs.aws.amazon.com/kms/latest/developerguide/services-redshift.html