User guide
5. On the Additional Configuration page, specify values for the following options, and then click
Continue.
a. Under Provide the optional additional configuration details below, configure the following
options:
Cluster Parameter Group
Select a cluster parameter group to associate with the cluster. If you don't select one, the
cluster uses the default parameter group.
Encrypt Database
Select whether you want to encrypt all data within the cluster and its snapshots. If you leave
the default setting, None, encryption is not enabled. If you want to enable encryption, select
whether you want to use AWS Key Management Service (AWS KMS) or a hardware security
module (HSM), and then configure the related settings. For more information about encryption
in Amazon Redshift, see Amazon Redshift Database Encryption (p. 98).
• KMS
Click KMS if you want to enable encryption and use AWS KMS to manage your encryption
key.
Note
AWS KMS combines secure, highly available hardware and software to provide
a key management system scaled for the cloud.You can access AWS KMS
from the Encryption Keys section of the AWS Identity and Access Management
console or the AWS KMS APIs to centrally create encryption keys, define the
policies that control how keys can be used, and audit key usage to prove they
are being used correctly. For more information about managing your Amazon
Redshift encryption key using AWS KMS, go to AWS Key Management Service
Developer Guide.
After you click KMS, you can select a key from the Master Key list.
If you select (default) aws/redshift, Amazon Redshift will use a default customer master
key (CMK). The first time you create an encrypted Amazon Redshift cluster in a region,
a default CMK is created for you automatically.This key is used for Amazon Redshift
encryption unless you select a CMK that you created separately using AWS KMS. Creating
API Version 2012-12-01
16
Amazon Redshift Management Guide
Creating a Cluster