To protect sensitive data, you can encrypt Teradata data volumes by setting the EBS Encryption parameter when deploying Vantage. EBS Encryption uses a default customer master key (CMK) to encrypt data volumes when using either deployment.
You can also encrypt the root disk by setting the Root Disk Encryption parameter when deploying Vantage. Root Disk Encryption uses a default CMK to encrypt the root volume when using either deployment.
Encryption of Teradata data volumes and the root disk is supported only for m5 instance types for the Base, Advanced, and Enterprise tiers.
If you create and manage a CMK using the AWS Key Management Service or bring your own encryption keys, Teradata refers to these as non-default CMKs. To encrypt the data volumes or root disk using a non-default CMK, a custom CMK encryption AWS CloudFormation template is required, but is not available on the AWS Marketplace. Due to the complexity of this process, you must schedule an appointment with Teradata Consulting Services so they can provide the template and assistance.
If a node fails, the replacement node inherits the encryption setting of the failed node.
If you are scaling out, the new nodes inherit the encryption setting.
If you deploy AWS systems using AWS Marketplace products with multiple AWS accounts, the custom CMK encryption AWS CloudFormation template needs modifications. You must contact Teradata Consulting Services.