In July 2024, we published research on encrypted by default and followed up in December 2024 on resources that could be unencrypted in AWS. Since then we've been working on tooling and resources to help with ransomware prevention, encryption management, and cloud data protection. While working on the next phase of our tooling and research on encryption and unencryption in AWS, we made interesting observations about Amazon Redshift:
We've notified AWS Security of these issues in April 2025 and have been told that the [AWS] "service team is currently working on the fix and the fix will be implemented in the near future." We will update this post in the future once AWS completes their fix.
Our previous research:
Stay tuned for our new tooling on encryption management in AWS coming soon. For a preview, email us at info@fogsecurity.io.
Amazon Redshift is AWS's data warehouse service that can help with data analytics use cases. Redshift is estimated by 6sense to have a 15.76% market share of the data warehousing market (competing against Snowflake, Google BigQuery, SAP, and more).
We started our research in 2024 on encryption in AWS due to our desire to simplify encryption for AWS users. Since then, AWS has updated and removed unencrypted options for new resources and also configured more encrypted by default options.
One such change was to Amazon Redshift in early 2025 where AWS changed default security settings for Redshift. These changes included:
We will focus on the encryption settings of Amazon Redshift clusters. In the encryption by default change by AWS, 2 behaviors were detailed:
We noticed the following changes:
We observed the following additional unpublicized changes to Redshift Cluster Encryption Behavior:
AWS's announcement only stated that the ability to create unencrypted clusters will no longer be available in the Amazon Redshift console. We observed that in addition to that change, CLI and API calls to create unencrypted clusters are also no longer available.
Take using the AWS CLI, if we call the aws redshift create-cluster
command with --no-encrypted
specified, we get a InvalidParameterValue
error stating that "Unencrypted cluster creation is not supported."
aws redshift create-cluster \
--cluster-identifier fog-shifty-encryption-test1 \
--cluster-type single-node --node-type dc2.large \
--master-username fogsecurity \
--manage-master-password \
--no-encrypted
An error occurred (InvalidParameterValue) when calling the CreateCluster operation:
Unencrypted cluster creation is not supported
We also observed that Amazon CloudFormation no longer supports creation of unencrypted clusters.
When running a CloudFormation create on a template with Encrypted
set to false, we get a CREATE_FAILED
state with the message "Unencrypted cluster creation is not supported"
CloudFormation Template (YAML):
AWSTemplateFormatVersion: 2010-09-09
Description: Fog Security Reference Unencrypted Redshift Cluster
Resources:
ShiftyCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: "single-node"
Encrypted: false
DBName: "testfogsecurity"
MasterUsername: "fogsecurity"
ManageMasterPassword: true
NodeType: "dc2.large"
Note: This template will return an error when using it for Redshift cluster creation due to the Encrypted property being set to false. That will need to be removed for this template to succesfullly create a Redshift cluster.
We reported this to AWS Security in April 2025. While we do not consider this to be a traditional security vulnerability, we do believe inaccurate and misleading understanding of managing encryption on data can lead to security issues including lack of oversight and potential misconfiguration.
When creating a Redshift cluster via the Amazon Management Console, we noticed the following info block when choosing an encryption key for the Redshift Cluster:
We found this to be inaccurate as we were able to change the encryption key after cluster creation. We were able to do the following:
Below are screenshots of the Management Console when selecting an encryption key type for Redshift cluster creation.
AWS CloudFormation documentation for AWS::Redshift::Cluster specifies that:
While that is true for new cluster creations, we found that to be inaccurate when modifying an existing cluster. We were able to set the value of the encrypted cluster to false and still have the request succeed when modifying an existing cluster. Steps to reproduce:
We've already hinted at the ability to create unencrypted clusters, so let's get down to business. While AWS has made it significantly more complex to create unencrypted Redshift clusters, we were able to still create unencrypted clusters.
AWS documentation asserts that:
false
. When the value is set to false
, the request will fail.We found the following:
The following is the CLI command we used to change the encryption settings on a Redshift cluster to unencrypted.
aws redshift modify-cluster \
--cluster-identifier fog-shifty-encryption-test \
--no-encrypted
The ability to change encryption can also be done via AWS management console. We used the console to modify encrpytion including changing the encryption key to a key owned in a different AWS account. This can be problematic for data management as encryption keys in different accounts may be more difficult to manage and can also be an indicator of ransomware.
false
on a AWS::Redshift::Cluster CloudFormation resource and the request will succeed for an update.For this, we first need to create a cluster with either the Encrypted property set to true or without the Encrypted property (cluster will default to encrypted as true if property is not specified).
Once the cluster has been created, we then will run a CloudFormation update with the following reference templates. Note, for testing, we left off many properties. We recommend setting properties in accordance with your application's needs and company's security guidelines.
AWSTemplateFormatVersion: 2010-09-09
Description: Fog Security Reference Unencrypted Redshift Cluster
Resources:
ShiftyCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: "single-node"
Encrypted: false
DBName: "testfogsecurity"
MasterUsername: "fogsecurity"
ManageMasterPassword: true
NodeType: "dc2.large"
We see the changes by AWS to Redshift's default behavior and the changes by AWS to default encryption settings to be good steps towards a "Secure by Default" future. Additionally, we are glad unencrypted options and unencrypted by default options are being removed (see our research here for unencrypted options and research here for encrypted by default).
While it's more difficult now to configure unencrypted resources, it's still possible to configure unencrypted Redshift clusters via cluster modification (CLI, API, Console, or CloudFormation) as well as change encryption of a Redshift cluster after creation. Due to the inaccuracies of documentation and information provided by AWS, it is possible that security teams and security teams may not be monitoring or considering the potential for misconfiguration or even false sense of security of data encryption and security in Redshift.
We plan on continuing our work. Reach out to us at info@fogsecurity.io for more information and how we can help you on cloud encryption, ransomware prevention, and cloud data security. We'll be developing and researching more on encryption and related topics, contact us for a preview of what we're buliding!
Fog Security: Are my AWS Resources Encrypted or Unencrypted by Default?
Fog Security: Unencrypted Resources in AWS
Fog Security: IAM Guide to Managing and Updating Encryption for AWS Resources
Github: IAM Reference for Encryption
AWS Blog: Amazon Redshift enhances security by changing default behavior in 2025