Ensure that your AWS Kinesis Firehose delivery streams are encrypted using Server-Side Encryption (SSE) in order to meet regulatory requirements and protect your Kinesis data at rest. AWS Kinesis Firehose is a fully managed service designed for real-time streaming data delivery to destinations such as Amazon S3, Amazon Redshift, Amazon ElasticSearch Service and Splunk. When Server-Side Encryption feature is enabled, Kinesis Firehose requests AWS S3 service to encrypt your data before saving it on disks and decrypt it when you download it. The data can be encrypted with either AWS KMS default keys or KMS Customer Master Keys (CMKs).
Organizations with strict compliance or data security requirements often require that their data to be encrypted at all times, including at rest or in transit within the cloud. Server-Side Encryption (SSE) for Amazon Kinesis Firehose delivery streams helps you meet these security requirements by providing an extra layer of protection for your Kinesis data-at-rest.
To determine if your Firehose delivery streams have the Server-Side Encryption feature enabled, perform the following actions:
To enable Server-Side Encryption (SSE) for your AWS Kinesis Firehose delivery streams, perform the following: