Profile Applicability:

  • Level 2

Description:
Amazon Kinesis Data Firehose is a fully managed service that automatically delivers streaming data to AWS destinations such as Amazon S3, Amazon Redshift, and Amazon Elasticsearch. Encryption at rest for DataFirehose delivery streams ensures that the data being delivered is encrypted while stored at the destination (e.g., in S3 or Redshift). By default, DataFirehose supports encryption at rest using AWS Key Management Service (KMS). It is important to ensure that encryption at rest is enabled for all delivery streams to protect the integrity and confidentiality of the data.

Rationale:
Encrypting DataFirehose delivery streams at rest ensures that sensitive data remains secure while stored in AWS services. Encryption provides protection against unauthorized access and helps organizations meet security and compliance requirements, such as GDPR, HIPAA, and SOC 2. Enabling encryption at rest guarantees that any data stored in the delivery stream’s destination is protected and can only be decrypted by authorized users or services.

Impact:
 Pros:

  • Protects sensitive data at rest by encrypting the data before it is stored in the destination.

  • Enhances security and compliance with data protection regulations.

  • Allows control over the encryption keys used for data encryption through AWS KMS.

  • Helps ensure data integrity and confidentiality while at rest.

Cons:

  • May incur additional costs for using customer-managed KMS keys (depending on usage).

  • Slight increase in latency due to the encryption and decryption processes.

Default Value:
 By default, DataFirehose uses AWS-managed KMS keys (aws/firehose) for encryption at rest. However, you can configure DataFirehose to use a customer-managed KMS key for more control over encryption key management.

Pre-requisites:

  • AWS IAM permissions to manage KMS and Kinesis Data Firehose:
     firehose:PutDeliveryStreamEncryption
     firehose:DescribeDeliveryStream
     kms:DescribeKey

  • Access to the Kinesis Data Firehose configuration and the KMS key (either AWS-managed or customer-managed) for encryption.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Kinesis and select Firehose.

  3. Select the Delivery Stream that you want to review.

  4. Under the Configuration tab, check the Encryption section.

  5. Ensure that Encryption at rest is enabled, and verify that the AWS KMS key is either the default AWS-managed key (aws/firehose) or a customer-managed key.

  6. If encryption is not enabled, click Edit and configure the encryption settings to use KMS encryption with either the AWS-managed key or a customer-managed KMS key.

  7. Save the changes and verify that encryption at rest is properly configured.

Using AWS CLI:

  1. List all DataFirehose delivery streams:

    aws firehose list-delivery-streams

  2. For each delivery stream, check the encryption configuration:

    aws firehose describe-delivery-stream --delivery-stream-name <DELIVERY_STREAM_NAME>

  3. In the output, look for the EncryptionConfiguration section. It should indicate whether encryption is enabled, and if so, the KMS key used.

  4. If encryption is not enabled, enable encryption at rest using the following command:

    aws firehose start-delivery-stream-encryption --delivery-stream-name <DELIVERY_STREAM_NAME> --key-type KMS --kms-key-arn <KMS_KEY_ARN>

  5. Replace <KMS_KEY_ARN> with the ARN of the KMS key (either AWS-managed or customer-managed).

  6. Verify the updated encryption configuration:

    aws firehose describe-delivery-stream --delivery-stream-name <DELIVERY_STREAM_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the Kinesis Firehose Console and select the desired delivery stream.

  2. Under the Configuration tab, find the Encryption section and click Edit.

  3. Enable Encryption at rest, and select the KMS key (either the default AWS-managed key or a customer-managed key).

  4. Save the changes and verify that encryption is enabled.

Using AWS CLI:

  1. To enable encryption with a customer-managed KMS key, run:

    aws firehose start-delivery-stream-encryption --delivery-stream-name <DELIVERY_STREAM_NAME> --key-type KMS --kms-key-arn <KMS_KEY_ARN>

  2. Verify that encryption is enabled and the correct KMS key is used:

    aws firehose describe-delivery-stream --delivery-stream-name <DELIVERY_STREAM_NAME>

Backout Plan: 

Using AWS Console:

  1. If enabling encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Kinesis, select the Delivery stream, and go to the Encryption settings.

  3. Disable encryption or change the KMS key if necessary.

  4. Save the changes and verify that the delivery stream is functioning without encryption.

Using AWS CLI:

  1. To remove encryption or change the KMS key, run the following command:

    aws firehose update-delivery-stream --delivery-stream-name <DELIVERY_STREAM_NAME> --delivery-stream-type DirectPut --s3-destination-update '{
  "EncryptionConfiguration": {
    "NoEncryptionConfig": "NoEncryption"
  }
}'

  1. Verify that the encryption configuration has been removed:

    aws firehose describe-delivery-stream --delivery-stream-name <DELIVERY_STREAM_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure Kinesis Data Firehose delivery streams are encrypted at rest using AWS KMS to protect sensitive data.

7.1

8.1

Enable encryption at rest for Kinesis Data Firehose delivery streams to ensure the security of backup and log data.