AWS-Kinesis-firehose-stream-as-source-uses-CMK-server-side-encryption

Severity: High

Description: This controls ensures that AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as source has Server-side encryption configured. It is recommended to have service-side encryption enabled for Amazon Kinesis Delivery Streams.

Remediation Steps:

Perform following to enable server side encryption for Kinesis:

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to Kinesis console.

  3. For each kinesis Data firehose delivery stream click on source kinesis data stream

  4. Click on Configuration

  5. Navigate to Encryption

  6. Click Edit

  7. Mark the box to Enable server-side encryption for source records in delivery stream

  8. Select Use Customer-managed CMK

  9. Select the required key in the dropdown

  10. Click Save.

Important:

Server-side encryption should be enabled to get this control evaluated.

Reference:

Blue Hexagon Proprietary