Detections
Analytics

Ensure that customer managed keys are used in AWS Kinesis Firehose Delivery Stream

HIGH

Description

AWS Kinesis Server without customer managed keys will leave the data in plain state. customer managed keys will encrypted the data and will be refreshed after every 365 days.

Remediation

In Terraform -

  1. In the aws_kinesis_firehose_delivery_stream resource, set the server_side_encryption.enabled field to true.
  2. If using a customer-managed key, set the key_type as CUSTOMER_MANAGED_CMK and the key_arn to the appropriate value.

References:
https://docs.aws.amazon.com/firehose/latest/dev/encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream#server_side_encryption

Policy Details

Rule Reference ID: AC_AWS_0460
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_kinesis_firehose_delivery_stream
Resource Category: Analytics
Resource Type: Kinesis

Frameworks