Back to All Checks
Medium DataFirehose Regional

Firehose delivery streams should be encrypted at rest

NIST 800-53

Description

This control checks whether an Amazon Data Firehose delivery stream is encrypted at rest with server-side encryption. This control fails if a Firehose delivery stream isn't encrypted at rest with server-side encryption. Server-side encryption is a feature in Amazon Data Firehose delivery streams that automatically encrypts data before it's at rest by using a key created in AWS Key Management Service (AWS KMS). Data is encrypted before it's written to the Data Firehose stream storage layer, and decrypted after it's retrieved from storage. This allows you to comply with regulatory requirements and enhance the security of your data.

Remediation

Enable server-side encryption for your Amazon Data Firehose delivery streams using AWS KMS.

Steps

  1. Navigate to the Amazon Kinesis Data Firehose console
  2. Select the delivery stream that needs encryption
  3. Edit the delivery stream configuration
  4. In the 'Encryption' section, enable 'Server-side encryption'
  5. Choose 'AWS KMS' as the encryption key source
  6. Select or create a KMS key for encryption
  7. Save the configuration changes
  8. Verify that the delivery stream is now encrypted at rest

Compliance

NIST 800-53
Start Your Free Security Check