security audit team asked to encrypt all the data stored on the Redshift cluster. Hence, to implement encryption at rest what all things needs to be taken care?
A. You have to manually mark cluster as read-only mode and once encryption done you will enable both read and write mode.
B. You will copy entire cluster data in S3 bucket and then apply the server side encryption on that. Once done copy back data to new Redshift cluster, where encryption is enabled.
C. You will be disabling cross region replication.
D. We need to make sure for the time, current cluster will not be available for data write.
1. A,B
2. B,C
3. C,D
4. A,D
5. B,D
Correct Answer : 3 Exp : You can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption, using either an AWS-managed key or a customer-managed key (CMK). When you modify your cluster to
enable KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster. You can also migrate an unencrypted cluster to an encrypted cluster by modifying the cluster.
During the migration operation, your cluster is available in read-only mode, and the cluster status appears as resizing. If your cluster is configured to enable cross-AWS Region snapshot copy, you must disable it
before changing encryption.
You cant enable hardware security module (HSM) encryption by modifying the cluster. Instead, create a new, HSM-encrypted cluster and migrate your data to the new cluster.
Also it we should keep in mind that until entire data is not encrypted the cluster remain in read-only mode. Hence, this OUTAGE information should be known for better management.
3
