Implement column-level encryption to protect sensitive data in Amazon Redshift with AWS Glue and AWS Lambda user-defined functions

Amazon Redshift is a massively parallel processing (MPP), fully managed petabyte-scale data warehouse that makes it simple and cost-effective to analyze all your data using existing business intelligence tools.

When businesses are modernizing their data warehousing solutions to Amazon Redshift, implementing additional data protection mechanisms for sensitive data, such as personally identifiable information (PII) or protected health information (PHI), is a common requirement, especially for those in highly regulated industries with strict data security and privacy mandates. Amazon Redshift provides role-based access control, row-level security, column-level security, and dynamic data masking, along with other database security features to enable organizations to enforce fine-grained data security.

Security-sensitive applications often require column-level (or field-level) encryption to enforce fine-grained protection of sensitive data on top of the default server-side encryption (namely data encryption at rest). In other words, sensitive data should be always encrypted on disk and remain encrypted in memory, until users with proper permissions request to decrypt the data. Column-level encryption provides an additional layer of security to protect your sensitive data throughout system processing so that only certain users or applications can access it. This encryption ensures that only authorized principals that need the data, and have the required credentials to decrypt it, are able to do so.

In this post, we demonstrate how you can implement your own column-level encryption mechanism in Amazon Redshift using AWS Glue to encrypt sensitive data before loading data into Amazon Redshift, and using AWS Lambda as a user-defined function (UDF) in Amazon Redshift to decrypt the data using standard SQL statements. Lambda UDFs can be written in any of the programming languages supported by Lambda, such as Java, Go, PowerShell, Node.js, C#, Python, Ruby, or a custom runtime. You can use Lambda UDFs in any SQL statement such as SELECT, UPDATE, INSERT, or DELETE, and in any clause of the SQL statements where scalar functions are allowed.

Solution overview

The following diagram describes the solution architecture.

To illustrate how to set up this architecture, we walk you through the following steps:

1. We upload a sample data file containing synthetic PII data to an Amazon Simple Storage Service (Amazon S3) bucket.
2. A sample 256-bit data encryption key is generated and securely stored using AWS Secrets Manager.
3. An AWS Glue job reads the data file from the S3 bucket, retrieves the data encryption key from Secrets Manager, performs data encryption for the PII columns, and loads the processed dataset into an Amazon Redshift table.
4. We create a Lambda function to reference the same data encryption key from Secrets Manager, and implement data decryption logic for the received payload data.
5. The Lambda function is registered as a Lambda UDF with a proper AWS Identity and Access Management (IAM) role that the Amazon Redshift cluster is authorized to assume.
6. We can validate the data decryption functionality by issuing sample queries using Amazon Redshift Query Editor v2.0. You may optionally choose to test it with your own SQL client or business intelligence tools.

Prerequisites

To deploy the solution, make sure to complete the following prerequisites:

• Have an AWS account. For this post, you configure the required AWS resources using AWS CloudFormation in the us-east-2 Region.
• Have an IAM user with permissions to manage AWS resources including Amazon S3, AWS Glue, Amazon Redshift, Secrets Manager, Lambda, and AWS Cloud9.

Deploy the solution using AWS CloudFormation

Provision the required AWS resources using a CloudFormation template by completing the following steps:

1. Sign in to your AWS account.
2. Choose Launch Stack:
   
3. Navigate to an AWS Region (for example, us-east-2).
4. For Stack name, enter a name for the stack or leave as default (aws-blog-redshift-column-level-encryption).
5. For RedshiftMasterUsername, enter a user name for the admin user account of the Amazon Redshift cluster or leave as default (master).
6. For RedshiftMasterUserPassword, enter a strong password for the admin user account of the Amazon Redshift cluster.
7. Select I acknowledge that AWS CloudFormation might create IAM resources.
8. Choose Create stack.
   

The CloudFormation stack creation process takes around 5–10 minutes to complete.

9. When the stack creation is complete, on the stack Outputs tab, record the values of the following:
   1. AWSCloud9IDE
   2. AmazonS3BucketForDataUpload
   3. IAMRoleForRedshiftLambdaUDF
   4. LambdaFunctionName

Upload the sample data file to Amazon S3

To test the column-level encryption capability, you can download the sample synthetic data generated by Mockaroo. The sample dataset contains synthetic PII and sensitive fields such as phone number, email address, and credit card number. In this post, we demonstrate how to encrypt the credit card number field, but you can apply the same method to other PII fields according to your own requirements.

An AWS Cloud9 instance is provisioned for you during the CloudFormation stack setup. You may access the instance from the AWS Cloud9 console, or by visiting the URL obtained from the CloudFormation stack output with the key AWSCloud9IDE.

On the AWS Cloud9 terminal, copy the sample dataset to your S3 bucket by running the following command:

S3_BUCKET=$(aws s3 ls| awk '{print $3}'| grep awsblog-pii-data-input-)
aws s3 cp s3://aws-blogs-artifacts-public/artifacts/BDB-2274/pii-sample-dataset.csv s3://$S3_BUCKET/

Generate a secret and secure it using Secrets Manager

We generate a 256-bit secret to be used as the data encryption key. Complete the following steps:

1. Create a new file in the AWS Cloud9 environment.
   
2. Enter the following code snippet. We use the cryptography package to create a secret, and use the AWS SDK for Python (Boto3) to securely store the secret value with Secrets Manager:

   from cryptography.fernet import Fernet
   import boto3
   import base64
   
   key = Fernet.generate_key()
   client = boto3.client('secretsmanager')
   
   response = client.create_secret(
       Name='data-encryption-key',
       SecretBinary=base64.urlsafe_b64decode(key)
   )
   
   print(response['ARN'])

3. Save the file with the file name generate_secret.py (or any desired name ending with .py).
   
4. Install the required packages by running the following pip install command in the terminal:

   pip install --user boto3
   pip install --user cryptography

5. Run the Python script via the following command to generate the secret:

   python generate_secret.py

   

Create a target table in Amazon Redshift

A single-node Amazon Redshift cluster is provisioned for you during the CloudFormation stack setup. To create the target table for storing the dataset with encrypted PII columns, complete the following steps:

1. On the Amazon Redshift console, navigate to the list of provisioned clusters, and choose your cluster.
   
2. To connect to the cluster, on the Query data drop-down menu, choose Query in query editor v2.
   
3. If this is the first time you’re using the Amazon Redshift Query Editor V2, accept the default setting by choosing Configure account.
   
4. To connect to the cluster, choose the cluster name.
   
5. For Database, enter demodb.
6. For User name, enter master.
7. For Password, enter your password.

You may need to change the user name and password according to your CloudFormation settings.

8. Choose Create connection.
   
9. In the query editor, run the following DDL command to create a table named pii_table:

   CREATE TABLE pii_table(
     id BIGINT,
     full_name VARCHAR(50),
     gender VARCHAR(10),
     job_title VARCHAR(50),
     spoken_language VARCHAR(50),
     contact_phone_number VARCHAR(20),
     email_address VARCHAR(50),
     registered_credit_card VARCHAR(50)
   );

We recommend using the smallest possible column size as a best practice, and you may need to modify these table definitions per your specific use case. Creating columns much larger than necessary will have an impact on the size of data tables and affect query performance.

Create the source and destination Data Catalog tables in AWS Glue

The CloudFormation stack provisioned two AWS Glue data crawlers: one for the Amazon S3 data source and one for the Amazon Redshift data source. To run the crawlers, complete the following steps:

1. On the AWS Glue console, choose Crawlers in the navigation pane.
   
2. Select the crawler named glue-s3-crawler, then choose Run crawler to trigger the crawler job.
   
3. Select the crawler named glue-redshift-crawler, then choose Run crawler.
   

When the crawlers are complete, navigate to the Tables page to verify your results. You should see two tables registered under the demodb database.

Author an AWS Glue ETL job to perform data encryption

An AWS Glue job is provisioned for you as part of the CloudFormation stack setup, but the extract, transform, and load (ETL) script has not been created. We create and upload the ETL script to the /glue-script folder under the provisioned S3 bucket in order to run the AWS Glue job.

1. Return to your AWS Cloud9 environment either via the AWS Cloud9 console, or by visiting the URL obtained from the CloudFormation stack output with the key AWSCloud9IDE.
   

We use the Miscreant package for implementing a deterministic encryption using the AES-SIV encryption algorithm, which means that for any given plain text value, the generated encrypted value will be always the same. The benefit of using this encryption approach is to allow for point lookups, equality joins, grouping, and indexing on encrypted columns. However, you should also be aware of the potential security implication when applying deterministic encryption to low-cardinality data, such as gender, boolean values, and status flags.

2. Create a new file in the AWS Cloud9 environment and enter the following code snippet:

   import sys
   from awsglue.transforms import *
   from awsglue.utils import getResolvedOptions
   from pyspark.context import SparkContext
   from awsglue.context import GlueContext
   from awsglue.job import Job
   from awsglue.dynamicframe import DynamicFrameCollection
   from awsglue.dynamicframe import DynamicFrame
   
   import boto3
   import base64
   from miscreant.aes.siv import SIV
   from pyspark.sql.functions import udf, col
   from pyspark.sql.types import StringType
   
   args = getResolvedOptions(sys.argv, ["JOB_NAME", "SecretName", "InputTable"])
   sc = SparkContext()
   glueContext = GlueContext(sc)
   spark = glueContext.spark_session
   job = Job(glueContext)
   job.init(args["JOB_NAME"], args)
   
   # retrieve the data encryption key from Secrets Manager
   secret_name = args["SecretName"]
   
   sm_client = boto3.client('secretsmanager')
   get_secret_value_response = sm_client.get_secret_value(SecretId = secret_name)
   data_encryption_key = get_secret_value_response['SecretBinary']
   siv = SIV(data_encryption_key)  # Without nonce, the encryption becomes deterministic
   
   # define the data encryption function
   def pii_encrypt(value):
       if value is None:
           value = ""
       ciphertext = siv.seal(value.encode())
       return base64.b64encode(ciphertext).decode('utf-8')
   
   # register the data encryption function as Spark SQL UDF   
   udf_pii_encrypt = udf(lambda z: pii_encrypt(z), StringType())
   
   # define the Glue Custom Transform function
   def Encrypt_PII (glueContext, dfc) -> DynamicFrameCollection:
       newdf = dfc.select(list(dfc.keys())[0]).toDF()
       
       # PII fields to be encrypted
       pii_col_list = ["registered_credit_card"]
   
       for pii_col_name in pii_col_list:
           newdf = newdf.withColumn(pii_col_name, udf_pii_encrypt(col(pii_col_name)))
   
       encrypteddyc = DynamicFrame.fromDF(newdf, glueContext, "encrypted_data")
       return (DynamicFrameCollection({"CustomTransform0": encrypteddyc}, glueContext))
   
   # Script generated for node S3 bucket
   S3bucket_node1 = glueContext.create_dynamic_frame.from_catalog(
       database="demodb",
       table_name=args["InputTable"],
       transformation_ctx="S3bucket_node1",
   )
   
   # Script generated for node ApplyMapping
   ApplyMapping_node2 = ApplyMapping.apply(
       frame=S3bucket_node1,
       mappings=[
           ("id", "long", "id", "long"),
           ("full_name", "string", "full_name", "string"),
           ("gender", "string", "gender", "string"),
           ("job_title", "string", "job_title", "string"),
           ("spoken_language", "string", "spoken_language", "string"),
           ("contact_phone_number", "string", "contact_phone_number", "string"),
           ("email_address", "string", "email_address", "string"),
           ("registered_credit_card", "long", "registered_credit_card", "string"),
       ],
       transformation_ctx="ApplyMapping_node2",
   )
   
   # Custom Transform
   Customtransform_node = Encrypt_PII(glueContext, DynamicFrameCollection({"ApplyMapping_node2": ApplyMapping_node2}, glueContext))
   
   # Script generated for node Redshift Cluster
   RedshiftCluster_node3 = glueContext.write_dynamic_frame.from_catalog(
       frame=Customtransform_node,
       database="demodb",
       table_name="demodb_public_pii_table",
       redshift_tmp_dir=args["TempDir"],
       transformation_ctx="RedshiftCluster_node3",
   )
   
   job.commit()

3. Save the script with the file name pii-data-encryption.py.
   
4. Copy the script to the desired S3 bucket location by running the following command:

   S3_BUCKET=$(aws s3 ls| awk '{print $3}'| grep awsblog-pii-data-input-)
   aws s3 cp pii-data-encryption.py s3://$S3_BUCKET/glue-script/pii-data-encryption.py

   

5. To verify the script is uploaded successfully, navigate to the Jobs page on the AWS Glue console.You should be able to find a job named pii-data-encryption-job.
   
6. Choose Run to trigger the AWS Glue job.It will first read the source data from the S3 bucket registered in the AWS Glue Data Catalog, then apply column mappings to transform data into the expected data types, followed by performing PII fields encryption, and finally loading the encrypted data into the target Redshift table. The whole process should be completed within 5 minutes for this sample dataset.You can switch to the Runs tab to monitor the job status.
   

Configure a Lambda function to perform data decryption

A Lambda function with the data decryption logic is deployed for you during the CloudFormation stack setup. You can find the function on the Lambda console.

The following is the Python code used in the Lambda function:

import boto3
import os
import json
import base64
import logging
from miscreant.aes.siv import SIV

logger = logging.getLogger()
logger.setLevel(logging.INFO)

secret_name = os.environ['DATA_ENCRYPT_KEY']

sm_client = boto3.client('secretsmanager')
get_secret_value_response = sm_client.get_secret_value(SecretId = secret_name)
data_encryption_key = get_secret_value_response['SecretBinary']

siv = SIV(data_encryption_key)  # Without nonce, the encryption becomes deterministic

# define lambda function logic
def lambda_handler(event, context):
    ret = dict()
    res = []
    for argument in event['arguments']:
        encrypted_value = argument[0]
        try:
            de_val = siv.open(base64.b64decode(encrypted_value)) # perform decryption
        except:
            de_val = encrypted_value
            logger.warning('Decryption for value failed: ' + str(encrypted_value)) 
        res.append(json.dumps(de_val.decode('utf-8')))

    ret['success'] = True
    ret['results'] = res

    return json.dumps(ret) # return decrypted results

If you want to deploy the Lambda function on your own, make sure to include the Miscreant package in your deployment package.

Register a Lambda UDF in Amazon Redshift

You can create Lambda UDFs that use custom functions defined in Lambda as part of your SQL queries. Lambda UDFs are managed in Lambda, and you can control the access privileges to invoke these UDFs in Amazon Redshift.

1. Navigate back to the Amazon Redshift Query Editor V2 to register the Lambda UDF.
2. Use the CREATE EXTERNAL FUNCTION command and provide an IAM role that the Amazon Redshift cluster is authorized to assume and make calls to Lambda:

   CREATE OR REPLACE EXTERNAL FUNCTION pii_decrypt (value varchar(max))
   RETURNS varchar STABLE
   LAMBDA '<--Replace-with-your-lambda-function-name-->'
   IAM_ROLE '<--Replace-with-your-redshift-lambda-iam-role-arn-->';

You can find the Lambda name and Amazon Redshift IAM role on the CloudFormation stack Outputs tab:

• LambdaFunctionName
• IAMRoleForRedshiftLambdaUDF

Validate the column-level encryption functionality in Amazon Redshift

By default, permission to run new Lambda UDFs is granted to PUBLIC. To restrict usage of the newly created UDF, revoke the permission from PUBLIC and then grant the privilege to specific users or groups. To learn more about Lambda UDF security and privileges, see Managing Lambda UDF security and privileges.

You must be a superuser or have the sys:secadmin role to run the following SQL statements:

GRANT SELECT ON "demodb"."public"."pii_table" TO PUBLIC;
CREATE USER regular_user WITH PASSWORD '1234Test!';
CREATE USER privileged_user WITH PASSWORD '1234Test!';
REVOKE EXECUTE ON FUNCTION pii_decrypt(varchar) FROM PUBLIC;
GRANT EXECUTE ON FUNCTION pii_decrypt(varchar) TO privileged_user;

First, we run a SELECT statement to verify that our highly sensitive data field, in this case the registered_credit_card column, is now encrypted in the Amazon Redshift table:

SELECT * FROM "demodb"."public"."pii_table";

For regular database users who have not been granted the permission to use the Lambda UDF, they will see a permission denied error when they try to use the pii_decrypt() function:

SET SESSION AUTHORIZATION regular_user;
SELECT *, pii_decrypt(registered_credit_card) AS decrypted_credit_card FROM "demodb"."public"."pii_table";

For privileged database users who have been granted the permission to use the Lambda UDF for decrypting the data, they can issue a SQL statement using the pii_decrypt() function:

SET SESSION AUTHORIZATION privileged_user;
SELECT *, pii_decrypt(registered_credit_card) AS decrypted_credit_card FROM "demodb"."public"."pii_table";

The original registered_credit_card values can be successfully retrieved, as shown in the decrypted_credit_card column.

Cleaning up

To avoid incurring future charges, make sure to clean up all the AWS resources that you created as part of this post.

You can delete the CloudFormation stack on the AWS CloudFormation console or via the AWS Command Line Interface (AWS CLI). The default stack name is aws-blog-redshift-column-level-encryption.

Conclusion

In this post, we demonstrated how to implement a custom column-level encryption solution for Amazon Redshift, which provides an additional layer of protection for sensitive data stored on the cloud data warehouse. The CloudFormation template gives you an easy way to set up the data pipeline, which you can further customize for your specific business scenarios. You can also modify the AWS Glue ETL code to encrypt multiple data fields at the same time, and to use different data encryption keys for different columns for enhanced data security. With this solution, you can limit the occasions where human actors can access sensitive data stored in plain text on the data warehouse.

You can learn more about this solution and the source code by visiting the GitHub repository. To learn more about how to use Amazon Redshift UDFs to solve different business problems, refer to Example uses of user-defined functions (UDFs) and Amazon Redshift UDFs.

About the Author

Aaron Chong is an Enterprise Solutions Architect at Amazon Web Services Hong Kong. He specializes in the data analytics domain, and works with a wide range of customers to build big data analytics platforms, modernize data engineering practices, and advocate AI/ML democratization.