Firehose Delivery Streams Encrypted
Ensures Firehose Delivery Stream encryption is enabled
Data sent through Firehose Delivery Streams can be encrypted using KMS server-side encryption. Existing delivery streams can be modified to add encryption with minimal overhead.
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
-
Log in to the AWS Management Console.
-
Select the “Services” option and search for “Kinesis”.
-
Under the “Amazon Kinesis dashboard” choose “Data Firehose” or “Delivery streams” from the left navigation panel.
-
Select the “Firehose Delivery System” that needs to be verified and click on the “Name” to access the delivery stream.
-
Select the “Configuration” tab and scroll down to “Server-side encryption (SSE)” and if it’s set to “Disabled” then the selected “Firehose Delivery System” data is not encrypted.
-
Enable the “Encryption” on selected “Firehose Delivery System” by clicking on the “Edit” button.
-
On the Edit page select “Enable server-side encryption for source records in delivery stream” under “Server-side encryption”.
-
Under “Encryption type” select “Use AWS owned CMK” if you want to create a new customer managed key for encryption.
-
If you already have your own encryption key then select “Use customer managed CMK” under “Encryption type” and select the existing key.
-
Click on the “Save changes” button to make the necessary changes. On the successful configuration changes, one will get “Successfully updated delivery stream” message.
-
Repeat steps number 4 to 10 to verify all other “Firehose Delivery streams”.