Firehose Delivery Stream Destination Encryption

Risk Level: Medium (should be achieved)

Rule ID: Firehose-001

Ensure that your Kinesis Firehose delivery stream data records are encrypted at destination (i.e. Amazon S3) in order to meet regulatory requirements and protect your Firehose data at rest. The Firehose data records can be encrypted in the destination bucket using an AWS-managed CMK or a KMS Customer Master Key (CMK).

This rule can help you with the following compliance standards:

PCI
HIPAA
GDPR
APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Organizations that must follow strict compliance and data security requirements often require that their data be encrypted at all times, including at rest or in transit within the AWS cloud. The encryption of Firehose data records delivered to Amazon S3 can help you meet these security requirements by providing an extra layer of protection for your data-at-rest.

Audit

To determine if your Firehose delivery stream data records are encrypted at destination, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Kinesis console at https://console.aws.amazon.com/kinesis/.

03 In the navigation panel, under Amazon Kinesis, choose Delivery streams.

04 Click on the name (link) of the Firehose delivery stream that you want to examine.

05 Select the Configuration tab to access the stream configuration details.

06 In the Destination settings section, under Compression and encryption, check the Encryption for data records attribute value. If the Encryption for data records attribute value is set to Disabled, the data records delivered by the selected Firehose delivery stream are not encrypted at destination.

07 Repeat steps no. 4 - 6 for each Firehose delivery stream available within the current AWS region.

08 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

01 Run list-delivery-streams command (OSX/Linux/UNIX) to describe the name of each Kinesis Data Firehose delivery stream available in the selected AWS region:

aws firehose list-delivery-streams
  --region us-east-1
  --query 'DeliveryStreamNames'

02 The command output should return the requested delivery stream name(s):

[
    "cc-main-delivery-stream",
    "cc-iot-project-delivery-stream"
]

03 Run describe-delivery-stream command (OSX/Linux/UNIX) using the Firehose delivery stream that you want to examine as the identifier parameter and custom query filters to describe the encryption configuration used for data records at destination (i.e. Amazon S3) by the selected delivery stream:

aws firehose describe-delivery-stream
  --region us-east-1
  --delivery-stream-name cc-main-delivery-stream
  --query 'DeliveryStreamDescription.Destinations[*].ExtendedS3DestinationDescription.EncryptionConfiguration'

04 The command output should return the requested configuration information:

[
  {
    "NoEncryptionConfig": "NoEncryption"
  }
]

If the describe-delivery-stream command output returns "NoEncryption" for the encryption configuration, as shown in the example above, the data records delivered by the selected Firehose delivery stream are not encrypted at destination.

05 Repeat steps no. 3 and 4 for each Firehose delivery stream available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that your Firehose delivery stream data records are encrypted at destination (i.e. Amazon S3), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Kinesis console at https://console.aws.amazon.com/kinesis/.

03 In the navigation panel, under Amazon Kinesis, choose Delivery streams.

04 Click on the name of the Firehose delivery stream that you want to reconfigure.

05 Select the Configuration tab to access the stream configuration details.

06 In the Destination settings section, choose Edit, and perform the following operations:

Choose Buffer hints, compression and encryption.
Select Enabled under Encryption for data records to enable encryption for Firehose delivery stream data records at destination (i.e. Amazon S3).
For Encryption type, choose whether to use the default master key (i.e. aws/s3 managed key) or a KMS Customer Master Key (CMK) that you create. If you want to use a Customer Master Key (CMK), choose Browse under Customer managed CMK in KMS, and select the appropriate Amazon KMS Customer Master Key (CMK).
Choose Save changes to apply the changes. If successful, the Amazon Kinesis console should display the following confirmation message: "Successfully updated delivery stream <stream-name>".

07 Repeat steps no. 4 - 6 for each Firehose delivery stream that you want to reconfigure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-delivery-stream command (OSX/Linux/UNIX) using the name of the Firehose delivery stream that you want to reconfigure as the identifier parameter and custom query filters to return the selected stream configuration metadata, information required later when the delivery stream is reconfigured:

aws firehose describe-delivery-stream
	--region us-east-1
	--delivery-stream-name cc-main-delivery-stream

02 The command output should return the stream configuration information:

{
  "DeliveryStreamDescription": {
    "DeliveryStreamType": "DirectPut",
    "HasMoreDestinations": false,
    "LastUpdateTimestamp": 1633030856.449,
    "DeliveryStreamEncryptionConfiguration": {
      "KeyARN": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
      "Status": "ENABLED",
      "KeyType": "CUSTOMER_MANAGED_CMK"
    },
    "VersionId": "9",
    "CreateTimestamp": 1632989655.816,
    "DeliveryStreamARN": "arn:aws:firehose:us-east-1:123456789012:deliverystream/cc-main-delivery-stream",
    "DeliveryStreamStatus": "ACTIVE",
    "DeliveryStreamName": "cc-main-delivery-stream",
    "Destinations": [
      {
        "DestinationId": "destinationId-000000000001",
        "ExtendedS3DestinationDescription": {
          "EncryptionConfiguration": {
            "NoEncryptionConfig": "NoEncryption"
          },
          "DataFormatConversionConfiguration": {
            "Enabled": false
          },
          "RoleARN":
          "arn:aws:iam::123456789012:role/service-role/KinesisFirehoseServiceRole-cc-main-delivery-stream-us-east-1-1632989075086",
          "CompressionFormat": "UNCOMPRESSED",
          "BufferingHints": {
            "IntervalInSeconds": 300,
            "SizeInMBs": 5
          },
          "ErrorOutputPrefix": "",
          "Prefix": "",
          "S3BackupMode": "Disabled",
          "CloudWatchLoggingOptions": {
            "Enabled": true,
            "LogStreamName": "DestinationDelivery",
            "LogGroupName": "/aws/kinesisfirehose/cc-main-delivery-stream"
          },
          "BucketARN": "arn:aws:s3:::cc-kinesis-s3-bucket",
          "ProcessingConfiguration": {
            "Enabled": false,
            "Processors": []
          }
        },
        "S3DestinationDescription": {
          "EncryptionConfiguration": {
            "NoEncryptionConfig": "NoEncryption"
          },
          "RoleARN":
          "arn:aws:iam::123456789012:role/service-role/KinesisFirehoseServiceRole-cc-main-delivery-stream-us-east-1-1632989075086",
          "CompressionFormat": "UNCOMPRESSED",
          "BufferingHints": {
            "IntervalInSeconds": 300,
            "SizeInMBs": 5
          },
          "ErrorOutputPrefix": "",
          "Prefix": "",
          "CloudWatchLoggingOptions": {
            "Enabled": true,
            "LogStreamName": "DestinationDelivery",
            "LogGroupName": "/aws/kinesisfirehose/cc-main-delivery-stream"
          },
          "BucketARN": "arn:aws:s3:::cc-kinesis-s3-bucket"
        }
      }
    ]
  }
}

03 Create the configuration document required for the update-destination command using the information returned at the previous step and save the document to a JSON file named data-destination-config.json. The "AWSKMSKeyARN" attribute value (highlighted) represents the ARN of the KMS key used to encrypt your Firehose delivery stream data records at destination:

{
  "RoleARN":
  "arn:aws:iam::123456789012:role/service-role/KinesisFirehoseServiceRole-cc-main-delivery-stream-us-east-1-1632989075086",
  "BucketARN": "arn:aws:s3:::cc-kinesis-s3-bucket",
  "Prefix": "",
  "BufferingHints": {
    "SizeInMBs": 5,
    "IntervalInSeconds": 300
  },
  "CompressionFormat": "UNCOMPRESSED",
  "EncryptionConfiguration": {
    "KMSEncryptionConfig": {
      "AWSKMSKeyARN": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd"
    }
  },
  "CloudWatchLoggingOptions": {
    "Enabled": true,
    "LogGroupName": "/aws/kinesisfirehose/cc-main-delivery-stream",
    "LogStreamName": "DestinationDelivery"
  },
  "ProcessingConfiguration": {
    "Enabled": false,
    "Processors": []
  },
  "S3BackupMode": "Disabled"
}

04 Run update-destination command (OSX/Linux/UNIX) using the Firehose delivery stream that you want to reconfigure as the identifier parameter, to update the destination configuration of the selected delivery stream in order to enable encryption of delivery stream data records at destination (the command does not produce an output):

aws firehose update-destination
  --region us-east-1
  --delivery-stream-name cc-main-delivery-stream
  --current-delivery-stream-version-id 3
  --destination-id destinationId-000000000001
  --extended-s3-destination-update file://data-destination-config.json

05 Repeat steps no. 1 – 4 for each Firehose delivery stream that you want to reconfigure, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
firehose
list-delivery-streams
describe-delivery-stream
update-destination

Publication date Aug 31, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Firehose rules