01 Sign in to the AWS Management Console.
02 To create your own customer-managed CMK, navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.
03 In the left navigation panel, click Customer managed keys.
04 Select the appropriate AWS region from the navigation bar (must match the region of your Firehose delivery stream).
05 Click the Create Key button from the console top menu to initiate the setup process.
06 For Step 1 Configure key, choose Symmetric from the Key type section, and select KMS for the Key material origin, available under Advanced options. Click Next to continue.
07 For Step 2 Add labels, provide a unique name (alias) and a short description for your new CMK, then use the Add tag button to create any required tag sets (optional). Click Next to continue the setup process.
08 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS console. Click Next to continue.
09 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new CMK for cryptographic operations. (Optional) In the Other AWS accounts section, click Add another AWS account and enter an external account ID in order to specify another AWS account that can use this KMS CMK to encrypt and decrypt your Firehose delivery streams. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Click Next to continue the process.
10 For Step 5 Review and edit key policy, review the key policy, then click Finish to create your new Customer-managed CMK. Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".
11 Once your new Customer-managed CMK is available, navigate to Amazon Kinesis console at https://console.aws.amazon.com/kinesis/.
12 In the navigation panel, under Amazon Kinesis, choose Delivery streams.
13 Click on the name of the Firehose delivery stream that you want to reconfigure.
14 In the Delivery stream details section, check the Source attribute value to determine the data source configured for the selected Firehose delivery stream. Based on the data source available, perform one of the following sets of commands:
- If the Source is set to Direct PUT, perform the following:
- Select the Configuration tab to access the configuration information available for the selected delivery stream.
- In the Server-side encryption (SSE) section, choose Edit.
- Ensure that the Enable server-side encryption for source records in delivery stream checkbox is selected.
- For Encryption type, choose Use customer managed CMK.
- Under Customer managed CMK in KMS, choose Browse, and select the Amazon KMS CMK created at the previous steps.
- Choose Save changes to apply the configuration changes. It takes approximately 30 seconds to enable Server-Side Encryption (SSE) using Customer-managed CMKs.
- If the Source is set to Amazon Kinesis Data Streams, perform the following:
- Select the Configuration tab to access the configuration information available for the selected stream.
- In the Source settings section, click on the name (link) of the associated data stream, available under Kinesis data stream.
- Select the Configuration tab to access the data stream configuration details.
- In the Encryption section, choose Edit.
- Make sure that the Enable server-side encryption checkbox is selected.
- Choose Use customer-managed CMK.
- Under Customer managed CMK in KMS, choose Browse, and select the Amazon KMS CMK created earlier in the Remediation process.
- Choose Save changes to apply the configuration changes.
15 Repeat steps no. 13 and 14 for each Firehose delivery stream that you want to encrypt using Customer Master Keys, available within the current AWS region.
16 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.