Ensure AWS Kinesis Firehose Delivery Streams are encrypted with CMK
Error: AWS Kinesis Firehose Delivery Streams are not encrypted with CMK
Bridgecrew Policy ID: BC_AWS_GENERAL_115
Checkov Check ID: CKV_AWS_241
Severity: LOW
AWS Kinesis Firehose Delivery Streams are not encrypted with CMK
Description
This policy identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.
Fix - Runtime
TBD
Fix - Buildtime
Terraform
Resource: aws_kinesis_firehose_delivery_stream
Arguments: s3_configuration.server_side_encryption.key_arn
resource "aws_kinesis_firehose_delivery_stream" "pass" {
name = "terraform-kinesis-firehose-test-stream"
destination = "s3"
s3_configuration {
role_arn = aws_iam_role.firehose_role.arn
bucket_arn = aws_s3_bucket.bucket.arn
}
server_side_encryption {
enabled=true #default is false
key_type = "CUSTOMER_MANAGED_CMK"
key_arn = aws_kms_key.example.arn
}
tags = {
test = "failed"
}
}
Updated 5 months ago