User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift

111

112

113

114

115

116

117

118

119

120

Configuring HSM Using the Amazon Redshift CLI

and API

You can use the following Amazon Redshift CLI operations to manage hardware security modules.

• create-hsm-client-certificate

• create-hsm-configuration

• delete-hsm-client-certificate

• delete-hsm-configuration

• describe-hsm-client-certificates

• describe-hsm-configurations

You can use the following Amazon Redshift API actions to manage hardware security modules.

• CreateHsmClientCertificate

• CreateHsmConfiguration

• DeleteHsmClientCertificate

• DeleteHsmConfiguration

• DescribeHsmClientCertificates

• DescribeHsmConfigurations

Rotating Encryption Keys

In Amazon Redshift, you can rotate encryption keys for encrypted clusters.When you start the key rotation

process, Amazon Redshift rotates the cluster encryption key and database encryption key for the specified

cluster, and for any of the cluster’s manual and automatic snapshots. The cluster is put into a

ROTATING_KEYS state until the rotation completes, at which time it returns to the AVAILABLE state.

Amazon Redshift handles decryption and re-encryption during the key rotation process.

Note

You cannot rotate keys for snapshots without a source cluster. Before you delete a cluster,

consider whether its snapshots rely on key rotation.

Because the cluster is momentarily unavailable during the key rotation process, you should rotate keys

only as often as your data needs require or when you suspect the keys might have been compromised.

As a best practice, you should review the type of data that you store and plan how often to rotate the

keys.The frequency for rotating keys varies depending on your corporate policies for data security, and

any industry standards regarding sensitive data and regulatory compliance. Ensure that your plan balances

security needs with availability considerations for your cluster.

Rotating Encryption Keys Using the Amazon

Redshift Console

Topics

You can use the following procedure to rotate encryption keys by using the AWS Management Console.

1. Sign into the AWS Management Console and open the Amazon Redshift console at https://

console.aws.amazon.com/redshift.

API Version 2012-12-01

105

Amazon Redshift Management Guide

Configuring HSM Using the Amazon Redshift CLI and

API