AWS Redshift database encryption

thanks for your answer. Right now I'm choosing for multi-tenant solution between tenant per database or tenant per schema. Looks like tenant per schema is less secured approach for data in rest because all data keys will be encrypted with the same database encryption key instead of different database encryption keys as in case of tenant per database approach?

Every single disk block is encrypted with a different key. Each block holds 1MB of data. So, a 100MB database would involve at least 100 different encryption keys. These 100+ encryption keys are then encrypted with a Database Encryption Key before being stored.

Thanks. So in other words — tenant per schema is less secure approach vs tenant per database but still pretty solidly secured in general and can be also used as multi-tenant solution?

I'd say anything stored in Redshift is equally secure, from an "encryption-at-rest" standpoint. Ignoring encryption-at-rest, "tenant per schema" is less secure than "tenant per database" because it is possible that a badly configured GRANT permission could expose data to the wrong tenant. This is true for any database, not just Redshift. Of course, you should never give your customers direct access to a database, so it really comes down to whether your app is correctly coded to manage security.