Ensure that your AWS Kinesis Firehose delivery streams are encrypted using Server-Side Encryption (SSE) in order to meet regulatory requirements and protect your Kinesis data at rest. AWS Kinesis Firehose is a fully managed service designed for real-time streaming data delivery to destinations such as Amazon S3, Amazon Redshift, Amazon ElasticSearch Service and Splunk. When Server-Side Encryption feature is enabled, Kinesis Firehose requests AWS S3 service to encrypt your data before saving it on disks and decrypt it when you download it. The data can be encrypted with either AWS KMS default keys or KMS Customer Master Keys (CMKs).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Organizations with strict compliance or data security requirements often require that their data to be encrypted at all times, including at rest or in transit within the cloud. Server-Side Encryption (SSE) for Amazon Kinesis Firehose delivery streams helps you meet these security requirements by providing an extra layer of protection for your Kinesis data-at-rest.
Audit
To determine if your Firehose delivery streams have the Server-Side Encryption feature enabled, perform the following actions:
Remediation / Resolution
To enable Server-Side Encryption (SSE) for your AWS Kinesis Firehose delivery streams, perform the following:
References
- AWS Documentation
- Amazon Kinesis Data Firehose
- AWS Key Management Service Concepts
- Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS)
- AWS Command Line Interface (CLI) Documentation
- firehose
- list-delivery-streams
- describe-delivery-stream
- update-destination
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Firehose Delivery Stream Encryption
Risk level: High