Table of Contents

Search

  1. Preface
  2. Part 1: Introduction to Amazon Redshift connectors
  3. Part 2: Data Integration with Amazon Redshift V2 Connector
  4. Part 3: Data Integration with Amazon Redshift Connector

Amazon Redshift Connectors

Amazon Redshift Connectors

Enable encryption

Enable encryption

You can enable client-side and server-side encryption in the Amazon Redshift V2 connection for staging data in Amazon S3.
You can also configure encryption in the Amazon Redshift V2 Source and Target transformations in a mapping. For more information on how to configure encryption in the mapping, see the topics "Data encryption in Amazon Redshift V2 sources" and "Data encryption in Amazon Redshift V2 targets."
Complete the prerequisites based on the type of encryption that you want to configure in the Amazon Redshift V2 connection.
Client-side encryption
Client-side encryption requires a 256-bit AES encryption key in the Base64 format. You can generate a key using a third-party tool.
Specify the key value in the
Master Symmetric Key
field when you create an Amazon Redshift V2 connection.
Server-side encryption
To enable server-side encryption, create an AWS Key Management Service (AWS KMS)-managed customer master key.
Generate the customer master key ID for the same region where your Amazon S3 staging bucket resides. For more information about generating a customer master key, see the AWS documentation.
To enable encryption with the customer master key, you need to create a minimal KMS policy. You can specify the customer master key ID when you create an Amazon Redshift V2 connection.
You cannot configure server-side encryption with the master symmetric key and client-side encryption with the customer master key.

Create a minimal policy for using AWS KMS

To use the AWS Key Management Service (AWS KMS)-managed customer master key and enable the encryption with KMS, you must create a KMS policy.
You can perform the following operations to enable encryption with KMS:
  • GenerateDataKey
  • DescribeKey
  • Encrypt
  • Decrypt
  • ReEncrypt
Sample policy:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action": [ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": ["arn:aws:kms:region:account:key/<KMS_key>"] } ] }
When you configure KMS and access an Amazon S3 endpoint in the China region, use the following sample policy:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": ["arn:aws-cn:kms:region:account:key/<KMS_key>"] } ] }

0 COMMENTS

We’d like to hear from you!