AWS-Kinesis-firehose-stream-as-source-has-server-side-encryption

Owned by naveen
Nov 19, 2021
1 min read

Severity: High

Description: This control ensure that AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as source has Server-side encryption configured. It is recommended to have service-side encryption enabled for Amazon Kinesis Delivery Streams. When you configure a Kinesis data stream as the data source of a Kinesis Data Firehose delivery stream, Kinesis Data Firehose no longer stores the data at rest. Instead, the data is stored in the data stream. Enabling the encryption on data stream will enable encryption on delivery stream too.

Remediation Steps:

Perform following to enable server side encryption for Kinesis:

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to Kinesis console.

  3. For each kinesis Data firehose delivery stream click on source kinesis data stream

  4. Click on Configuration

  5. Navigate to Encryption

  6. Click Edit

  7. Mark the box to Enable server-side encryption for source records in delivery stream

  8. Select Use Customer-managed CMK

  9. Select the required key in the dropdown

  10. Click Save.

Important:

Reference:

Blue Hexagon Proprietary