Enable Firehose Delivery Stream Server-Side Encryption
More Info:
Ensure that your Amazon Kinesis Data Firehose delivery streams are encrypted using Server-Side Encryption. It is recommended for added security to use KMS Customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys, in order to have full control over the encryption and decryption process and meet regulatory requirements. Amazon Kinesis Data Firehose is a fully managed service designed for real-time streaming data delivery to destinations such as Amazon S3, Amazon Redshift, Amazon ElasticSearch Service, and Splunk.Risk Level
HighAddress
Cost optimization, Operational Maturity, SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using the AWS Management Console, follow these step-by-step instructions:
-
Sign in to the AWS Management Console:
- Go to the AWS Management Console (https://aws.amazon.com/console/) and sign in to your AWS account.
-
Navigate to Amazon Kinesis Data Firehose:
- In the AWS Management Console, search for “Kinesis” in the search bar at the top and select “Kinesis” under the Analytics section.
-
Select the Firehose Delivery Stream:
- Click on the “Delivery Streams” option on the left sidebar to view a list of your existing Firehose delivery streams.
- Select the Firehose delivery stream that is connected to your DynamoDB table and requires server-side encryption.
-
Enable Server-Side Encryption:
- In the selected Firehose delivery stream details page, click on the “Edit” button to modify the settings.
- Scroll down to the “Server-side encryption” section and select the option for “Enable server-side encryption.”
- Choose the appropriate KMS key from the dropdown menu or create a new KMS key if necessary.
-
Save Changes:
- After enabling server-side encryption and selecting the KMS key, click on the “Save” button to apply the changes to the Firehose delivery stream.
-
Verify Encryption Configuration:
- Once the changes are saved, verify that server-side encryption is enabled for the Firehose delivery stream by checking the settings in the details page.
Using CLI
Using CLI
To enable server-side encryption for an AWS Kinesis Data Firehstream using AWS CLI, follow these steps:Make sure to replace Look for the
- Open the AWS CLI and run the following command to enable server-side encryption for the Firehose Delivery Stream:
YOUR_DELIVERY_STREAM_NAME with the actual name of your Firehose Delivery Stream.- Once the command is executed successfully, the server-side encryption will be enabled for the specified Firehose Delivery Stream using the AWS-owned Customer Master Key (CMK).
- You can verify the changes by describing the delivery stream using the following command:
EncryptionConfiguration section in the output to confirm that server-side encryption is enabled.By following these steps, you can remediate the misconfiguration and enable server-side encryption for an AWS Kinesis Data Firehose Delivery Stream using AWS CLI.Using Python
Using Python
To remediate the misconfiguration of enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using Python, follow these steps:
- Import the necessary libraries:
- Initialize the AWS DynamoDB client:
- Get the list of all the existing DynamoDB tables:
- Iterate through each table and enable server-side encryption for the desired table:
- Run the Python script to enable server-side encryption for all the DynamoDB tables.