Firehose Delivery Stream Encryption

Risk level: High (not acceptable risk)

Rule ID: Firehose-001

Ensure that your AWS Kinesis Firehose delivery streams are encrypted using Server-Side Encryption (SSE) in order to meet regulatory requirements and protect your Kinesis data at rest. AWS Kinesis Firehose is a fully managed service designed for real-time streaming data delivery to destinations such as Amazon S3, Amazon Redshift, Amazon ElasticSearch Service and Splunk. When Server-Side Encryption feature is enabled, Kinesis Firehose requests AWS S3 service to encrypt your data before saving it on disks and decrypt it when you download it. The data can be encrypted with either AWS KMS default keys or KMS Customer Master Keys (CMKs).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Organizations with strict compliance or data security requirements often require that their data to be encrypted at all times, including at rest or in transit within the cloud. Server-Side Encryption (SSE) for Amazon Kinesis Firehose delivery streams helps you meet these security requirements by providing an extra layer of protection for your Kinesis data-at-rest.

Audit

To determine if your Firehose delivery streams have the Server-Side Encryption feature enabled, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Kinesis dashboard at https://console.aws.amazon.com/firehose/.

03 In the navigation panel, under Amazon Kinesis, choose Data Firehose.

04 Choose the Firehose delivery stream that you want to examine, then click on its name (link) to access the stream configuration details.

05 Select the Details tab from the top panel and check the Encryption attribute value, available in the Amazon S3 destination section. If the attribute value is set to Disabled, the selected AWS Kinesis Firehose delivery stream does not have the Server-Side Encryption feature enabled, therefore the data managed by the Firehose delivery stream is not encrypted at its destination (Amazon S3).

06 Repeat step no. 4 and 5 for each Firehose delivery stream available in the current AWS region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-delivery-streams command (OSX/Linux/UNIX) to list the names of all Firehose delivery streams available within the selected AWS region, i.e. US East (N. Virginia):

aws firehose list-delivery-streams
	--region us-east-1
	--query 'DeliveryStreamNames'

02 The command output should return the requested delivery stream names:

[
    "cc-main-delivery-stream",
    "cc-iot-project-delivery-stream"
]

03 Run describe-delivery-stream command (OSX/Linux/UNIX) using the delivery stream name returned at the previous step as identifier and custom query filters to return the Server-Side Encryption configuration for the selected delivery stream data destination:

aws firehose describe-delivery-stream
	--region us-east-1
	--delivery-stream-name cc-main-delivery-stream
	--query 'DeliveryStreamDescription.Destinations[*].ExtendedS3DestinationDescription.{EncryptionConfiguration: EncryptionConfiguration}'

04 The command output should return the requested configuration details:

[
    {
        "EncryptionConfiguration": {
            "NoEncryptionConfig": "NoEncryption"
        }
    }
]

If the describe-delivery-stream command output returns just "NoEncryptionConfig": "NoEncryption" key-value for the EncryptionConfiguration attribute, as shown in the example above, the selected Amazon Kinesis Firehose delivery stream does not have Server-Side Encryption enabled, therefore the data managed by the verified delivery stream is not encrypted at its destination (i.e. Amazon S3 bucket).

05 Repeat step no. 3 and 4 for each Firehose delivery stream available in the current AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for your AWS Kinesis Firehose delivery streams, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Kinesis dashboard at https://console.aws.amazon.com/firehose/.

03 In the navigation panel, under Amazon Kinesis, choose Data Firehose.

04 Choose the delivery stream that you want to reconfigure (see Audit section part I to identify the right Firehose resource), then click on its name (link) to access the resource configuration.

05 Select the Details tab from the top panel and click the Edit button from the top-right menu to switch to edit mode.

06 Within Amazon S3 destination section, select Enabled next to S3 encryption to enable the SSE feature.

07 From KMS master key dropdown list, choose whether to use the AWS KMS default key (i.e. (Default) aws/s3) or an AWS KMS Customer Master Key (CMK).

08 Click Save to apply the configuration changes. If successful, the AWS console should display the following confirmation message: "Successfully updated delivery stream".

09 Repeat steps no. 4 – 8 to enable SSE for other Firehose delivery streams available in the selected AWS region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-delivery-stream command (OSX/Linux/UNIX) using the name of the delivery stream that you want to reconfigure as identifier (see Audit section part II to identify the right resource) and custom query filters to return the selected stream configuration metadata, information required later when the delivery stream is reconfigured:

aws firehose describe-delivery-stream
	--region us-east-1
	--delivery-stream-name cc-main-delivery-stream

02 The command output should return the stream configuration information:

[
    "DeliveryStreamDescription": {
        "DeliveryStreamType": "KinesisStreamAsSource",
        "HasMoreDestinations": false,
        "LastUpdateTimestamp": 1535047888.785,
        "Source": {
            "KinesisStreamSourceDescription": {
                "RoleARN": "arn:aws:iam::123456789012:role/firehose_delivery_role",
                "KinesisStreamARN": "arn:aws:kinesis:us-east-1:123456789012:stream/cc-kinesis-data-stream",
                "DeliveryStartTimestamp": 1535041889.658
            }
        },
        "VersionId": "3",
        "CreateTimestamp": 1535041354.658,
        "DeliveryStreamARN": "arn:aws:firehose:us-east-1:123456789012:deliverystream/cc-main-delivery-stream",
        "DeliveryStreamStatus": "ACTIVE",
        "DeliveryStreamName": "cc-main-delivery-stream",
        "Destinations": [
            {
                "DestinationId": "destinationId-000000000001",
                "ExtendedS3DestinationDescription": {
                    "RoleARN": "arn:aws:iam::123456789012:role/firehose_delivery_role",
                    "Prefix": "",
                    "BufferingHints": {
                        "IntervalInSeconds": 300,
                        "SizeInMBs": 5
                    },
                    "EncryptionConfiguration": {
                        "NoEncryptionConfig": "NoEncryption"
                    },
                    "CompressionFormat": "UNCOMPRESSED",
                    "S3BackupMode": "Disabled",
                    "CloudWatchLoggingOptions": {
                        "Enabled": true,
                        "LogStreamName": "S3Delivery",
                        "LogGroupName": "/aws/kinesisfirehose/cc-firehose-delivery-stream"
                    },
                    "BucketARN": "arn:aws:s3:::cc-firehose-bucket",
                    "ProcessingConfiguration": {
                        "Enabled": false,
                        "Processors": []
                    }
                },
                "S3DestinationDescription": {
                    "RoleARN": "arn:aws:iam::123456789012:role/firehose_delivery_role",
                    "Prefix": "",
                    "BufferingHints": {
                        "IntervalInSeconds": 300,
                        "SizeInMBs": 1
                    },
                    "EncryptionConfiguration": {
                        "NoEncryptionConfig": "NoEncryption"
                    },
                    "CompressionFormat": "UNCOMPRESSED",
                    "CloudWatchLoggingOptions": {
                        "Enabled": true,
                        "LogStreamName": "S3Delivery",
                        "LogGroupName": "/aws/kinesisfirehose/cc-firehose-delivery-stream"
                    },
                    "BucketARN": "arn:aws:s3:::cc-firehose-bucket"
                }
            }
        ]
    }
}

03 Create the necessary configuration file, name it stream-destination-config.json and save it as a JSON file, using the information returned at the previous step. The ARN of the AWS KMS key used by the Server-Side Encryption should be configured as value for the AWSKMSKeyARN attribute:

{
  "RoleARN": "arn:aws:iam::123456789012:role/firehose_delivery_role",
  "BucketARN": "arn:aws:s3:::cc-firehose-bucket",
  "Prefix": "",
  "BufferingHints": {
    "SizeInMBs": 5,
    "IntervalInSeconds": 300
  },
  "CompressionFormat": "UNCOMPRESSED",
  "EncryptionConfiguration": {
    "KMSEncryptionConfig": {
      "AWSKMSKeyARN": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd"
    }
  },
  "CloudWatchLoggingOptions": {
    "Enabled": true,
    "LogGroupName": "/aws/kinesisfirehose/cc-main-delivery-stream",
    "LogStreamName": "S3Delivery"
  },
  "ProcessingConfiguration": {
    "Enabled": false,
    "Processors": []
  },
  "S3BackupMode": "Disabled"
}

04 Run update-destination command (OSX/Linux/UNIX) using the name of the Firehose delivery stream that you want to reconfigure (see Audit section part II to identify the right resource) to update the selected stream destination configuration using the stream-destination-config.json file in order to enable Server-Side Encryption (the command does not produce an output):

aws firehose update-destination
	--region us-east-1
	--delivery-stream-name cc-main-delivery-stream
	--current-delivery-stream-version-id 3
	--destination-id destinationId-000000000001
	--extended-s3-destination-update file://stream-destination-config.json

05 Repeat steps no. 1 – 4 to enable SSE for other Firehose delivery streams available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
firehose
list-delivery-streams
describe-delivery-stream
update-destination

Publication date Aug 31, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Firehose Delivery Stream Encryption

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Firehose rules