AWS-Kinesis-stream-with-direct-PUT-uses-CMK-server-side-encryption

Severity: High

Description: This control ensure that AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as source has Server-side encryption configured with customer-managed key. It is recommended to have service-side encryption enabled for Amazon Kinesis Delivery Streams with customer-managed key.

Remediation Steps:

Perform following to enable server side encryption for Kinesis:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to Kinesis console.

3. Go to each kinesis Data firehose delivery stream

4. Click on Encryption

5. Click Edit

6. Mark the box to Enable server-side encryption for source records in delivery stream

7. Select Use Customer-managed CMK

8. Select the required key in the dropdown

9. Click Save.

Important:

Reference:

• https://docs.aws.amazon.com/firehose/latest/dev/encryption.html