AWS Firehose Does Not Enforce Data-at-Rest Encryption
Description:
Amazon Kinesis Firehose provides the capability to encrypt data-at-rest using AWS Key Management Service (KMS). If a Kinesis Firehose delivery stream does not have data-at-rest encryption enabled, the data might be exposed to unauthorized access, which may not meet certain compliance and regulatory requirements.
Remediation:
1. Enable Encryption for Kinesis Firehose:
AWS Management Console:
- Navigate to the Kinesis Firehose service.
- Select the desired delivery stream.
- In the Details section, look for the Server-side encryption setting.
- Click on the Edit button.
- Set the Server-side encryption option to Enabled.
- Choose the desired KMS key from the list or provide a custom key.
- Click on Save changes.
Note: If the delivery stream is currently processing records, you might need to stop it before enabling encryption.
AWS CLI:
To enable server-side encryption for an existing delivery stream:
aws firehose update-destination --delivery-stream-name <YOUR-STREAM-NAME> --current-delivery-stream-version-id <YOUR-VERSION-ID> --server-side-encryption-enabled
Replace <YOUR-STREAM-NAME> with your delivery stream name and <YOUR-VERSION-ID> with the current version ID of the delivery stream.
Terraform:
resource "aws_kinesis_firehose_delivery_stream" "example" {
name = "example"
destination = "s3"
s3_configuration {
role_arn = aws_iam_role.firehose.arn
bucket_arn = aws_s3_bucket.bucket.arn
buffer_size = 5
buffer_interval = 300
compression_format = "UNCOMPRESSED"
}
server_side_encryption {
enable = true
key_arn = aws_kms_key.example.arn
}
}
resource "aws_kms_key" "example" {
description = "example"
deletion_window_in_days = 10
}
In this Terraform configuration, the Kinesis Firehose delivery stream is encrypted using a custom KMS key.
Recommendation:
Always enable server-side encryption for Kinesis Firehose delivery streams to safeguard data-at-rest. Ensure you manage and rotate your KMS keys according to AWS best practices. Regularly audit your Kinesis Firehose configurations to verify encryption settings.
Updated 12 months ago