AWS-Kinesis-firehose-stream-as-source-has-server-side-encryption

Severity: High

Description: This control ensure that AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as source has Server-side encryption configured. It is recommended to have service-side encryption enabled for Amazon Kinesis Delivery Streams. When you configure a Kinesis data stream as the data source of a Kinesis Data Firehose delivery stream, Kinesis Data Firehose no longer stores the data at rest. Instead, the data is stored in the data stream. Enabling the encryption on data stream will enable encryption on delivery stream too.

Remediation Steps:

Perform following to enable server side encryption for Kinesis:

Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to Kinesis console.
For each kinesis Data firehose delivery stream click on source kinesis data stream
Click on Configuration
Navigate to Encryption
Click Edit
Mark the box to Enable server-side encryption for source records in delivery stream
Select Use Customer-managed CMK
Select the required key in the dropdown
Click Save.

Important:

Reference:

https://docs.aws.amazon.com/firehose/latest/dev/encryption.html