Skip to content

Firehose delivery streams should be encrypted at rest using AWS KMS

Identifier

firehose-enable-server-side-encryption

Category

Protect > Data protection > Encryption of data at rest

Description

This control checks whether Amazon Kinesis Data Firehose delivery streams are encrypted at rest, by verifying that the server_side_encryption block is configured and enabled is set to true and set kms_key_id in the Terraform configuration for the aws_kinesis_firehose_delivery_stream resource.

Non Compliant Example

Terraform
1
2
3
4
resource "aws_kinesis_firehose_delivery_stream" "foo" {
  destination = "s3"
  name        = "non-compliant"
}

Remediation

To fix this violation, configure server-side encryption by adding the server_side_encryption block and setting enabled = true and key_arn:

Terraform
1
2
3
4
5
6
7
8
9
resource "aws_kinesis_firehose_delivery_stream" "foo" {
  destination = "s3"
  name        = "compliant"
  server_side_encryption {
    enabled  = true
    key_type = "CUSTOMER_MANAGED_CMK"
    key_arn  = key_arn
  }
}

Extra Resources