Shifty Business: Encryption in Amazon Redshift, Secure Defaults, and How to Shiftily Create Unencrypted Redshift Clusters

In July 2024, we published research on encrypted by default and followed up in December 2024 on resources that could be unencrypted in AWS. Since then we've been working on tooling and resources to help with ransomware prevention, encryption management, and cloud data protection. While working on the next phase of our tooling and research on encryption and unencryption in AWS, we made interesting observations about Amazon Redshift:

AWS Management Console provides inaccurate information on configuring encryption for Amazon Redshift provisioned clusters. AWS Console mentions that encryption cannot be changed after cluster creation, but we were able to change encryption including using encryption keys in different AWS accounts (which can be a method of cloud ransomware) as well as changing encrpytion to unencrypted.

While AWS has made it difficult to configure unecrypted Redshift clusters and documents that it's not possible to create unencrypted clusters, we still found a workaround to creating new unencrypted Redshift clusters.

AWS released an announcement on changed default behavior in Amazon Redshift. We noticed additional unannounced and unpublicized changes made to improve security in Amazon Redshift regarding encryption.

We've notified AWS Security of these issues in April 2025 and have been told that the [AWS] "service team is currently working on the fix and the fix will be implemented in the near future." We will update this post in the future once AWS completes their fix.

Our previous research:

Stay tuned for our new tooling on encryption management in AWS coming soon. For a preview, email us at info@fogsecurity.io.

Merriam-Webster Dictionary doesn't think unencrypt is a word.

Background

Amazon Redshift is AWS's data warehouse service that can help with data analytics use cases. Redshift is estimated by 6sense to have a 15.76% market share of the data warehousing market (competing against Snowflake, Google BigQuery, SAP, and more).

We started our research in 2024 on encryption in AWS due to our desire to simplify encryption for AWS users. Since then, AWS has updated and removed unencrypted options for new resources and also configured more encrypted by default options.

One such change was to Amazon Redshift in early 2025 where AWS changed default security settings for Redshift. These changes included:

Disabling public access by default.
Enabling encryption by default.
Enfrocing secure connections by default.

We will focus on the encryption settings of Amazon Redshift clusters. In the encryption by default change by AWS, 2 behaviors were detailed:

The ability to create unencrypted clusters will no longer be available in the Amazon Redshift console.
When the console, CLI, API, or CloudFormation is used to create a provisioned cluster without a KMS key specified, the cluster will be encrypted with an AWS-owned key.

We noticed the following changes:

CLI Documentation for Amazon Redshift Cluster creation, April 2025

‍

Previous CLI Documentation for Amazon Redshift Cluster creation, December 2024

‍

Additional Unpublicized Changes to Redshift Encryption Behavior

We observed the following additional unpublicized changes to Redshift Cluster Encryption Behavior:

CLI and API calls to create unencrypted clusters are no longer available for Amazon Redshift.

AWS's announcement only stated that the ability to create unencrypted clusters will no longer be available in the Amazon Redshift console. We observed that in addition to that change, CLI and API calls to create unencrypted clusters are also no longer available.

Take using the AWS CLI, if we call the aws redshift create-cluster command with --no-encrypted specified, we get a InvalidParameterValue error stating that "Unencrypted cluster creation is not supported."

aws redshift create-cluster \ 
--cluster-identifier fog-shifty-encryption-test1 \
--cluster-type single-node --node-type dc2.large \
--master-username fogsecurity \
--manage-master-password \
--no-encrypted 

An error occurred (InvalidParameterValue) when calling the CreateCluster operation: 
Unencrypted cluster creation is not supported

‍

Amazon CloudFormation no longer supports creation of unencrypted clusters.

We also observed that Amazon CloudFormation no longer supports creation of unencrypted clusters.

When running a CloudFormation create on a template with Encrypted set to false, we get a CREATE_FAILED state with the message "Unencrypted cluster creation is not supported"

CloudFormation Error while Encrypted: false is set on Redshift Cluster CloudFormation Create

CloudFormation Template (YAML):

AWSTemplateFormatVersion: 2010-09-09
Description: Fog Security Reference Unencrypted Redshift Cluster
Resources:
  ShiftyCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterType: "single-node"
      Encrypted: false
      DBName: "testfogsecurity"
      MasterUsername: "fogsecurity"
      ManageMasterPassword: true
      NodeType: "dc2.large"

Note: This template will return an error when using it for Redshift cluster creation due to the Encrypted property being set to false. That will need to be removed for this template to succesfullly create a Redshift cluster.

‍

Inaccurate and Misleading Information on Redshift Cluster Encryption

We reported this to AWS Security in April 2025. While we do not consider this to be a traditional security vulnerability, we do believe inaccurate and misleading understanding of managing encryption on data can lead to security issues including lack of oversight and potential misconfiguration.

Amazon Redshift Console Inaccurate Information on Cluster Encryption

When creating a Redshift cluster via the Amazon Management Console, we noticed the following info block when choosing an encryption key for the Redshift Cluster:

"Encryption key cannot be changed after cluster creation"

We found this to be inaccurate as we were able to change the encryption key after cluster creation. We were able to do the following:

Modify encryption key of a cluster after cluster creation to a different encryption key.
Modify encryption of a cluster from encrypted to unencrypted (we go into more detail in a later section).

Below are screenshots of the Management Console when selecting an encryption key type for Redshift cluster creation.

Amazon Redshift Cluster Creation on Console, April 2025(AWS Owned Key selected)

Amazon Redshift Cluster Creation on Console, April 2025 (Customer Managed Key selected)

AWS CloudFormation Inaccurate Information on Cluster Encryption

AWS CloudFormation documentation for AWS::Redshift::Cluster specifies that:

"If you set the value on this parameter to false, the request will fail."

While that is true for new cluster creations, we found that to be inaccurate when modifying an existing cluster. We were able to set the value of the encrypted cluster to false and still have the request succeed when modifying an existing cluster. Steps to reproduce:

Create Cluster via CloudFormation Template with either Encrypted set to true or omitted (will default to true)
Update existing CloudFormation stack with CloudFormation template with Encrypted set to false for Redshift Cluster.

‍

CloudFormation Documentation for AWS::Redshift::Cluster, April 2025

Shifty Business: Creating Unencrypted Redshift Clusters

We've already hinted at the ability to create unencrypted clusters, so let's get down to business. While AWS has made it significantly more complex to create unencrypted Redshift clusters, we were able to still create unencrypted clusters.

AWS documentation asserts that:

Encryption key for a Redshift cluster cannot be changed after cluster creation.
The Encrypted parameter on a AWS::Redshift::Cluster CloudFormation resource cannot be set to false . When the value is set to false , the request will fail.

We found the following:

Encryption keys for a Redshift cluster can be changed after cluster creation.
- We focus here on changing encryption settings on a Redshift cluster to unencrypted.
- We were also able to change encryption on a Redshift cluster to different encryption keys. This also includes changing the encryption key to a key owned in a different account.

The following is the CLI command we used to change the encryption settings on a Redshift cluster to unencrypted.

aws redshift modify-cluster \
--cluster-identifier fog-shifty-encryption-test \
--no-encrypted

The ability to change encryption can also be done via AWS management console. We used the console to modify encrpytion including changing the encryption key to a key owned in a different AWS account. This can be problematic for data management as encryption keys in different accounts may be more difficult to manage and can also be an indicator of ransomware.

Amazon Redshift Console Edit Encryption, April 2025

The Encrypted Property can be set to false on a AWS::Redshift::Cluster CloudFormation resource and the request will succeed for an update.

For this, we first need to create a cluster with either the Encrypted property set to true or without the Encrypted property (cluster will default to encrypted as true if property is not specified).

‍

Once the cluster has been created, we then will run a CloudFormation update with the following reference templates. Note, for testing, we left off many properties. We recommend setting properties in accordance with your application's needs and company's security guidelines.

AWSTemplateFormatVersion: 2010-09-09
Description: Fog Security Reference Unencrypted Redshift Cluster
Resources:
  ShiftyCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterType: "single-node"
      Encrypted: false
      DBName: "testfogsecurity"
      MasterUsername: "fogsecurity"
      ManageMasterPassword: true
      NodeType: "dc2.large"

‍

Conclusion

We see the changes by AWS to Redshift's default behavior and the changes by AWS to default encryption settings to be good steps towards a "Secure by Default" future. Additionally, we are glad unencrypted options and unencrypted by default options are being removed (see our research here for unencrypted options and research here for encrypted by default).

While it's more difficult now to configure unencrypted resources, it's still possible to configure unencrypted Redshift clusters via cluster modification (CLI, API, Console, or CloudFormation) as well as change encryption of a Redshift cluster after creation. Due to the inaccuracies of documentation and information provided by AWS, it is possible that security teams and security teams may not be monitoring or considering the potential for misconfiguration or even false sense of security of data encryption and security in Redshift.

We plan on continuing our work. Reach out to us at info@fogsecurity.io for more information and how we can help you on cloud encryption, ransomware prevention, and cloud data security. We'll be developing and researching more on encryption and related topics, contact us for a preview of what we're buliding!

‍

References

Fog Security: Are my AWS Resources Encrypted or Unencrypted by Default?

Fog Security: Unencrypted Resources in AWS

Fog Security: IAM Guide to Managing and Updating Encryption for AWS Resources

Github: IAM Reference for Encryption

Github: Encryption by Default

AWS Blog: Amazon Redshift enhances security by changing default behavior in 2025