To protect sensitive data, you can encrypt Teradata data volumes by setting the EBS Encryption parameter when launching a Teradata ecosystem or launching Teradata Database using CloudFormation. This setting encrypts the data volumes using a default customer master key (CMK) when using either launch method. Encryption is supported only for m4 instance types.
If you create and manage a CMK using the AWS Key Management Service or bring your own encryption keys, Teradata refers to these as non-default CMKs.
- Data volumes using a non-default CMK
- Root volume using a default CMK or a non-default CMK
If a node fails, the replacement node inherits the encryption setting of the failed node.
If you are unfolding, the new nodes inherit the encryption setting.
If you deploy AWS systems using AWS Marketplace products with multiple AWS accounts, the custom CMK encryption CloudFormation template needs modifications. You must contact Teradata Professional Services.