Ensure that your AWS Kinesis Firehose delivery streams are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used by Kinesis Firehose service when there are no customer keys defined) in order to have full control over the encryption and decryption process and meet regulatory requirements. AWS Kinesis Firehose is a fully managed service designed for real-time streaming data delivery to destinations such as Amazon S3, Amazon Redshift, Amazon ElasticSearch Service and Splunk.
When you utilize your own AWS KMS Customer Master Keys (CMKs) to protect your Kinesis Firehose delivery streams, you have complete control over who can use these keys to access your streaming data. Amazon KMS service allows you to easily create, rotate, disable and audit the CMK encryption keys for your Kinesis Firehose delivery streams.
To determine the encryption status for your Firehose delivery streams, perform the following actions:
To encrypt existing AWS Kinesis Firehose delivery streams with your own KMS Customer Master Key (CMKs), perform the following: