01 Run describe-clusters command (OSX/Linux/UNIX) to describe the configuration available for the selected unencrypted Redshift cluster:
aws redshift describe-clusters
--region us-east-1
--cluster-identifier cc-cluster
02 The command output should return the requested configuration information which will be useful later when the new Redshift cluster will be created:
{
"Clusters": [
{
"PubliclyAccessible": true,
"MasterUsername": "ccclusteruser",
"VpcSecurityGroups": [
{
"Status": "active",
"VpcSecurityGroupId": "sg-58dc0a22"
}
],
"ClusterPublicKey": "ssh-rsa AAAAB3Nz46D5XtMr ... ",
"NumberOfNodes": 1,
"PendingModifiedValues": {},
"VpcId": "vpc-2fb56548",
"ClusterVersion": "1.0",
"Tags": [],
"AutomatedSnapshotRetentionPeriod": 1,
"ClusterParameterGroups": [
{
"ParameterGroupName": "default.redshift-1.0",
"ParameterApplyStatus": "in-sync"
}
],
"DBName": "ccclusterdb",
"PreferredMaintenanceWindow": "sun:06:00-sun:06:30",
"Endpoint": {
"Port": 5439,
"Address": "cc-cluster.cmfpsgvyjhfo.us-east-1 ... "
},
"IamRoles": [],
"AllowVersionUpgrade": true,
"ClusterCreateTime": "2016-09-01T12:24:54.550Z",
"ClusterSubnetGroupName": "default",
"ClusterSecurityGroups": [],
"ClusterIdentifier": "cc-cluster",
"ClusterNodes": [
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.31.9.165",
"PublicIPAddress": "54.55.80.231"
}
],
"AvailabilityZone": "us-east-1a",
"NodeType": "dc1.large",
"Encrypted": false,
"ClusterRevisionNumber": "1101",
"ClusterStatus": "available"
}
]
}
03 Run create-cluster command (OSX/Linux/UNIX) using the existing (unencrypted) cluster configuration details returned at the previous step to create a new Amazon Redshift cluster with the encryption feature enabled. The new cluster will be launched with the default master key used for data-at-rest encryption which is basically an AWS-managed key that is generated automatically for the Redshift service when you create your AWS account:
aws redshift create-cluster
--region us-east-1
--cluster-identifier cc-cluster-encrypted
--cluster-type single-node
--node-type dc1.large
--db-name ccclusterdb
--master-username ccclusteruser
--master-user-password CCclusterpwd0
--vpc-security-group-ids sg-58dc0a22
--availability-zone us-east-1a
--port 5439
--cluster-subnet-group-name default
--cluster-parameter-group-name default.redshift-1.0
--automated-snapshot-retention-period 1
--publicly-accessible
--allow-version-upgrade
--encrypted
04 The command output should return the new cluster configuration metadata:
{
"Cluster": {
"PubliclyAccessible": true,
"MasterUsername": "ccclusteruser",
"VpcSecurityGroups": [
{
"Status": "active",
"VpcSecurityGroupId": "sg-58dc0a22"
}
],
"NumberOfNodes": 1,
"PendingModifiedValues": {
"MasterUserPassword": "****"
},
"VpcId": "vpc-2fb56548",
"ClusterVersion": "1.0",
"Tags": [],
"AutomatedSnapshotRetentionPeriod": 1,
"ClusterParameterGroups": [
{
"ParameterGroupName": "default.redshift-1.0",
"ParameterApplyStatus": "in-sync"
}
],
"DBName": "ccclusterdb",
"PreferredMaintenanceWindow": "fri:06:00-fri:06:30",
"IamRoles": [],
"AllowVersionUpgrade": true,
"ClusterSubnetGroupName": "default",
"ClusterSecurityGroups": [],
"ClusterIdentifier": "cc-cluster-encrypted",
"AvailabilityZone": "us-east-1a",
"NodeType": "dc1.large",
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/
4302e0f2-ec36-4f3c-806a-89f454193a47",
"ClusterStatus": "creating"
}
}
05 Run again describe-clusters command (OSX/Linux/UNIX) using the appropriate query filters to expose the new Redshift cluster endpoint:
aws redshift describe-clusters
--region us-east-1
--cluster-identifier cc-cluster-encrypted
--query 'Clusters[*].Endpoint.Address'
06 The command output should return the new cluster endpoint URL:
[
"cc-cluster-encrypted.cmfpsgvyjhfo.us-east-1.redshift.amazonaws.com"
]
07 Now unload your data from the unencrypted Redshift cluster and reload it in the one created at the previous step by using the Amazon Redshift Unload/Copy utility. With this utility tool you can export your data from the unencrypted cluster (source) to an AWS S3 bucket, encrypt it, then import the data into your new Redshift cluster (destination) and remove the S3 bucket used. The necessary instructions to install, configure and use the Amazon Redshift Unload/Copy tool can be found on this page.
08 As soon as the transfer is completed and all the data is loaded into your new (encrypted) cluster, you can update your application configuration to point to the new AWS Redshift cluster endpoint address returned at step no. 6.
09 Once the Redshift cluster endpoint is changed within your application configuration, run delete-cluster command (OSX/Linux/UNIX) to remove the unencrypted cluster from your AWS account:
aws redshift delete-cluster
--region us-east-1
--cluster-identifier cc-cluster
--final-cluster-snapshot-identifier cc-cluster-finalsnapshot
10 The command output should return the metadata of the cluster selected for deletion:
{
"Cluster": {
"PubliclyAccessible": true,
"MasterUsername": "ccclusteruser",
"VpcSecurityGroups": [
{
"Status": "active",
"VpcSecurityGroupId": "sg-58dc0a22"
}
],
"NumberOfNodes": 1,
"PendingModifiedValues": {},
"VpcId": "vpc-2fb56548",
"ClusterVersion": "1.0",
"Tags": [],
"AutomatedSnapshotRetentionPeriod": 1,
"ClusterParameterGroups": [
{
"ParameterGroupName": "default.redshift-1.0",
"ParameterApplyStatus": "in-sync"
}
],
"DBName": "ccclusterdb",
"PreferredMaintenanceWindow": "sun:06:00-sun:06:30",
"Endpoint": {
"Port": 5439,
"Address": "cc-cluster.cmfpsgvyjhfo.us-east-1 ... "
},
"IamRoles": [],
"AllowVersionUpgrade": true,
"ClusterCreateTime": "2016-09-01T12:24:54.550Z",
"ClusterSubnetGroupName": "default",
"ClusterSecurityGroups": [],
"ClusterIdentifier": "cc-cluster",
"AvailabilityZone": "us-east-1a",
"NodeType": "dc1.large",
"Encrypted": false,
"ClusterStatus": "final-snapshot"
}
}
11 Repeat steps no. 1 - 10 to enable encryption for other Amazon Redshift clusters provisioned in the current region.
12 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 11 for other regions.