> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable Firehose Delivery Stream Server-Side Encryption

### More Info:

Ensure that your Amazon Kinesis Data Firehose delivery streams are encrypted using Server-Side Encryption. It is recommended for added security to use KMS Customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys, in order to have full control over the encryption and decryption process and meet regulatory requirements. Amazon Kinesis Data Firehose is a fully managed service designed for real-time streaming data delivery to destinations such as Amazon S3, Amazon Redshift, Amazon ElasticSearch Service, and Splunk.

### Risk Level

High

### Address

Cost optimization, Operational Maturity, Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration of enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using the AWS Management Console, follow these step-by-step instructions:

        1. **Sign in to the AWS Management Console:**
           * Go to the AWS Management Console ([https://aws.amazon.com/console/](https://aws.amazon.com/console/)) and sign in to your AWS account.

        2. **Navigate to Amazon Kinesis Data Firehose:**
           * In the AWS Management Console, search for "Kinesis" in the search bar at the top and select "Kinesis" under the Analytics section.

        3. **Select the Firehose Delivery Stream:**
           * Click on the "Delivery Streams" option on the left sidebar to view a list of your existing Firehose delivery streams.
           * Select the Firehose delivery stream that is connected to your DynamoDB table and requires server-side encryption.

        4. **Enable Server-Side Encryption:**
           * In the selected Firehose delivery stream details page, click on the "Edit" button to modify the settings.
           * Scroll down to the "Server-side encryption" section and select the option for "Enable server-side encryption."
           * Choose the appropriate KMS key from the dropdown menu or create a new KMS key if necessary.

        5. **Save Changes:**
           * After enabling server-side encryption and selecting the KMS key, click on the "Save" button to apply the changes to the Firehose delivery stream.

        6. **Verify Encryption Configuration:**
           * Once the changes are saved, verify that server-side encryption is enabled for the Firehose delivery stream by checking the settings in the details page.

        By following these steps, you will successfully remediate the misconfiguration by enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using the AWS Management Console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To enable server-side encryption for an AWS Kinesis Data Firehstream using AWS CLI, follow these steps:

        1. Open the AWS CLI and run the following command to enable server-side encryption for the Firehose Delivery Stream:

        ```bash theme={null}
        aws firehose update-delivery-stream \
        --delivery-stream-name YOUR_DELIVERY_STREAM_NAME \
        --extended-s3-destination-update EncryptionConfiguration.Enabled=true,EncryptionConfiguration.KeyType=AWS_OWNED_CMK
        ```

        Make sure to replace `YOUR_DELIVERY_STREAM_NAME` with the actual name of your Firehose Delivery Stream.

        2. Once the command is executed successfully, the server-side encryption will be enabled for the specified Firehose Delivery Stream using the AWS-owned Customer Master Key (CMK).

        3. You can verify the changes by describing the delivery stream using the following command:

        ```bash theme={null}
        aws firehose describe-delivery-stream --delivery-stream-name YOUR_DELIVERY_STREAM_NAME
        ```

        Look for the `EncryptionConfiguration` section in the output to confirm that server-side encryption is enabled.

        By following these steps, you can remediate the misconfiguration and enable server-side encryption for an AWS Kinesis Data Firehose Delivery Stream using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using Python, follow these steps:

        1. Import the necessary libraries:

        ```python theme={null}
        import boto3
        ```

        2. Initialize the AWS DynamoDB client:

        ```python theme={null}
        dynamodb = boto3.client('dynamodb')
        ```

        3. Get the list of all the existing DynamoDB tables:

        ```python theme={null}
        tables = dynamodb.list_tables()
        ```

        4. Iterate through each table and enable server-side encryption for the desired table:

        ```python theme={null}
        for table_name in tables['TableNames']:
            response = dynamodb.update_table(
                TableName=table_name,
                SSESpecification={
                    'Enabled': True,
                    'SSEType': 'KMS'
                }
            )
            print(f"Server-side encryption enabled for table: {table_name}")
        ```

        5. Run the Python script to enable server-side encryption for all the DynamoDB tables.

        By following these steps, you can remediate the misconfiguration of enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/firehose/latest/dev/encryption.html](https://docs.aws.amazon.com/firehose/latest/dev/encryption.html)
