Security Best Practices for Kinesis Data Firehose.
When you use your own Amazon KMS Customer-managed CMKs to protect your Kinesis Data Firehose delivery streams, you have complete control over who can use the encryption keys to access your streaming data. Amazon KMS service allows you to easily create, rotate, disable, and audit the CMK encryption keys for your Kinesis Data Firehose delivery streams.
To determine the encryption status for your Firehose delivery streams, perform the following actions:
Using AWS CLI
- Run list-delivery-streams command (OSX/Linux/UNIX) to describe the name of each Kinesis Data Firehose delivery stream available in the selected AWS region:
aws firehose list-delivery-streams
--region us-east-1
--query 'DeliveryStreamNames'
2. The command output should return the requested delivery stream name(s):
[
"cc-project5-delivery-stream",
"cc-iot-system-delivery-stream"
]
3. Run describe-delivery-stream command (OSX/Linux/UNIX) using the Firehose delivery stream that you want to examine as the identifier parameter and custom query filters to describe the type of the master key used for encrypting the selected delivery stream:
aws firehose describe-delivery-stream
--region us-east-1
--delivery-stream-name cc-project5-delivery-stream
--query 'DeliveryStreamDescription.DeliveryStreamEncryptionConfiguration.KeyType'
4. The command output should return the type of the associated master key:
"AWS_OWNED_CMK"
If the describe-delivery-stream command output returns null, the selected Firehose delivery stream is not encrypted using SSE. If the command output returns “AWS_OWNED_CMK”, as shown in the example above, the selected Amazon Kinesis Data Firehose delivery stream is encrypted using the default master key (AWS-managed key) instead of a KMS Customer-managed CMK.
5. Repeat steps no. 3 and 4 for each Firehose delivery stream available in the selected AWS region.
6. Change the AWS cloud region by updating the — region command parameter value and repeat the Audit process for other regions.
To encrypt existing Amazon Kinesis Data Firehose delivery streams using your own Amazon KMS Customer-managed CMKs, perform the following actions:
Using AWS CLI
- Define the policy that enables the selected IAM users and/or roles to manage your new Customer-managed CMK, and to encrypt/decrypt your Firehose delivery streams using the KMS API. Create a new policy document (JSON format), name the file data-firehose-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Id": "data-firehose-cmk-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
2. Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. data-firehose-cmk-policy.json) as value for the — policy parameter, to create your new customer-provided Customer-managed CMK:
aws kms create-key
--region us-east-1
--description 'KMS CMK for encrypting Firehose delivery streams'
--policy file://data-firehose-cmk-policy.json
--query 'KeyMetadata.Arn'
3. The command output should return the ARN of the new Customer-managed CMK:
"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
4. Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix “alias/” (the command should not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/DeliveryStreamCMK
--target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
5. Based on the data source type configured for the selected Firehose delivery stream, perform one of the following sets of commands:
- If the data source is Direct PUT, run start-delivery-stream-encryption command (OSX/Linux/UNIX) using the name of the Firehose delivery stream that you want to reconfigure as the identifier parameter, to enable Server-Side Encryption (SSE) for the selected delivery stream using the KMS Customer-managed CMK created at the previous steps (the command does not produce an output):
Aws firehose start-delivery-stream-encryption — region us-east-1 — delivery-stream-name cc-project5-delivery-stream — delivery-stream-encryption-configuration-input KeyARN=”arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd”,KeyType=”CUSTOMER_MANAGED_CMK”
- If the data source is Amazon Kinesis Data Streams, run start-stream-encryption command (OSX/Linux/UNIX) using the name of the data stream associated with your Firehose delivery stream as the identifier parameter, to enable Server-Side Encryption (SSE) for the specified data stream using the KMS Customer-managed CMK created earlier in the Remediation/Resolution process (the command does not return an output):
aws kinesis start-stream-encryption — region us-east-1 — stream-name cc-project5-data-stream — encryption-type KMS — key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
6. Repeat step no. 5 for each Firehose delivery stream that you want to encrypt using Customer Master Keys, available in the selected AWS region.
7. Change the AWS cloud region by updating the — region command parameter value and repeat the Remediation process for other regions.
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇