| Plugin Title | Firehose Delivery Streams Encrypted |
| Cloud | AWS |
| Category | Firehose |
| Description | Ensures Firehose Delivery Stream encryption is enabled |
| More Info | Data sent through Firehose Delivery Streams can be encrypted using KMS server-side encryption. Existing delivery streams can be modified to add encryption with minimal overhead. |
| AWS Link | https://docs.aws.amazon.com/firehose/latest/dev/encryption.html |
| Recommended Action | Enable encryption using KMS for all Firehose Delivery Streams. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for "Kinesis".
- Under the "Amazon Kinesis dashboard" choose "Data Firehose" or "Delivery streams" from the left navigation panel.
- Select the "Firehose Delivery System" that needs to be verified and click on the "Name" to access the delivery stream.
- Select the "Configuration" tab and scroll down to "Server-side encryption (SSE)" and if it's set to "Disabled" then the selected "Firehose Delivery System" data is not encrypted.
- Enable the "Encryption" on selected "Firehose Delivery System" by clicking on the "Edit" button.
- On the Edit page select "Enable server-side encryption for source records in delivery stream" under "Server-side encryption".
- Under "Encryption type" select "Use AWS owned CMK" if you want to create a new customer managed key for encryption.
- If you already have your own encryption key then select "Use customer managed CMK" under "Encryption type" and select the existing key.
- Click on the "Save changes" button to make the necessary changes. On the successful configuration changes, one will get "Successfully updated delivery stream" message.
- Repeat steps number 4 to 10 to verify all other "Firehose Delivery streams".
