Kinesis Data Firehose delivery stream is encrypted at rest
firehose_stream_encrypted_at_rest
Amazon Data Firehose delivery streams must enable server-side encryption at rest with AWS KMS regardless of the source type. Encryption of upstream sources such as Kinesis Data Streams or MSK does not replace the need to protect the delivery stream itself.
Risk
Unencrypted Firehose data at rest can be read if storage or backups are accessed, harming confidentiality and integrity. Disk-level access, snapshots, or misconfigured destinations enable data exfiltration or tampering. Lacking KMS-backed controls also reduces key rotation, segregation of duties, and auditability.
prowler aws --checks firehose_stream_encrypted_at_rest
Recommendation
Enable server-side encryption for Firehose with AWS KMS. Prefer customer managed keys (CMEK) to enforce least privilege, rotation, and auditing. Ensure upstream Kinesis sources are encrypted and confirm MSK defaults meet policy. Monitor KMS health signals and deny writes without encryption. Apply defense in depth at destinations.
Remediation
aws firehose start-delivery-stream-encryption --delivery-stream-name <delivery-stream-name> --delivery-stream-encryption-configuration-input KeyType=AWS_OWNED_CMK
- In the AWS Console, go to Amazon Data Firehose
- Select the affected delivery stream and click Edit
- Under Server-side encryption, set to Enabled (choose AWS owned key)
- Click Save changes
Source Code
Resource Type
AwsKinesisStream
References
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Firehose/delivery-stream-encrypted-with-kms-customer-master-keys.html
- https://docs.aws.amazon.com/firehose/latest/dev/encryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/datafirehose-controls.html#datafirehose-1