AWS Firehose Does Not Enforce Data-at-Rest Encryption


Amazon Kinesis Firehose provides the capability to encrypt data-at-rest using AWS Key Management Service (KMS). If a Kinesis Firehose delivery stream does not have data-at-rest encryption enabled, the data might be exposed to unauthorized access, which may not meet certain compliance and regulatory requirements.


1. Enable Encryption for Kinesis Firehose:

AWS Management Console:
  • Navigate to the Kinesis Firehose service.
  • Select the desired delivery stream.
  • In the Details section, look for the Server-side encryption setting.
  • Click on the Edit button.
  • Set the Server-side encryption option to Enabled.
  • Choose the desired KMS key from the list or provide a custom key.
  • Click on Save changes.

Note: If the delivery stream is currently processing records, you might need to stop it before enabling encryption.


To enable server-side encryption for an existing delivery stream:

aws firehose update-destination --delivery-stream-name <YOUR-STREAM-NAME> --current-delivery-stream-version-id <YOUR-VERSION-ID> --server-side-encryption-enabled

Replace <YOUR-STREAM-NAME> with your delivery stream name and <YOUR-VERSION-ID> with the current version ID of the delivery stream.

resource "aws_kinesis_firehose_delivery_stream" "example" {
  name        = "example"
  destination = "s3"

  s3_configuration {
    role_arn           = aws_iam_role.firehose.arn
    bucket_arn         = aws_s3_bucket.bucket.arn
    buffer_size        = 5
    buffer_interval    = 300
    compression_format = "UNCOMPRESSED"

  server_side_encryption {
    enable  = true
    key_arn = aws_kms_key.example.arn

resource "aws_kms_key" "example" {
  description             = "example"
  deletion_window_in_days = 10

In this Terraform configuration, the Kinesis Firehose delivery stream is encrypted using a custom KMS key.


Always enable server-side encryption for Kinesis Firehose delivery streams to safeguard data-at-rest. Ensure you manage and rotate your KMS keys according to AWS best practices. Regularly audit your Kinesis Firehose configurations to verify encryption settings.