AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Firehose Delivery Stream Destination Encryption
More Info:
Ensure that your Kinesis Firehose delivery stream data records are encrypted at destination (i.e. Amazon S3) in order to meet regulatory requirements and protect your Firehose data at rest. The Firehose data records can be encrypted in the destination bucket using an AWS-managed CMK or a KMS Customer Master Key (CMK).
Risk Level
Medium
Address
Cost optimization, Operational Maturity, Security
Compliance Standards
HIPAA, GDPR, CISAWS, CBP, NIST
Triage and Remediation
Remediation
To remediate the misconfiguration of Firehose Delivery Stream Destination Encryption for AWS DynamoDB using the AWS console, follow these steps:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
-
Navigate to Amazon Kinesis: In the AWS Management Console, navigate to the Amazon Kinesis service by either searching for it in the search bar or locating it under the “Analytics” section.
-
Select the Kinesis Data Firehose service: Click on “Kinesis Data Firehose” from the list of services.
-
Choose your Delivery Stream: Select the specific delivery stream that is connected to the DynamoDB table that you want to remediate.
-
Edit the Delivery Stream: Click on the “Edit” button to modify the settings of the delivery stream.
-
Enable Server-Side Encryption: In the “Destination” section, locate the “Server-Side Encryption” option and enable it.
-
Select the Encryption Type: Choose the appropriate encryption type for your DynamoDB data. You can select either “AWS KMS master key” or “Amazon S3 master key” based on your security requirements.
-
Configure Encryption Settings: Follow the on-screen instructions to configure the encryption settings, such as selecting the KMS key or S3 key to use for encryption.
-
Save Changes: Once you have configured the encryption settings, click on the “Save” button to apply the changes to the delivery stream.
-
Verify Encryption Configuration: After saving the changes, verify that the server-side encryption is enabled for the delivery stream by checking the settings.
By following these steps, you can remediate the misconfiguration of Firehose Delivery Stream Destination Encryption for AWS DynamoDB using the AWS console.
To remediate the misconfiguration of Firehose Delivery Stream Destination Encryption for AWS DynamoDB using AWS CLI, follow these steps:
-
Open your terminal or command prompt.
-
Use the following AWS CLI command to update the Firehose Delivery Stream with the correct encryption settings:
aws firehose update-destination --delivery-stream-name YOUR_DELIVERY_STREAM_NAME --current-delivery-stream-version-id YOUR_DELIVERY_STREAM_VERSION_ID --destination-id YOUR_DESTINATION_ID --extended-s3-destination-update '{ "EncryptionConfiguration": { "NoEncryptionConfig": {} } }'
Replace the placeholders with the actual values:
YOUR_DELIVERY_STREAM_NAME: The name of your Firehose Delivery Stream.YOUR_DELIVERY_STREAM_VERSION_ID: The version ID of your Firehose Delivery Stream.YOUR_DESTINATION_ID: The ID of the destination you want to update.
- After running the command, the Firehose Delivery Stream Destination Encryption for AWS DynamoDB should be successfully updated to use no encryption.
By following these steps, you should be able to remediate the misconfiguration of Firehose Delivery Stream Destination Encryption for AWS DynamoDB using AWS CLI.
To remediate the misconfiguration of Firehose Delivery Stream Destination Encryption for AWS DynamoDB using Python, you can follow these steps:
- Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:
pip install boto3
- Use the following Python script to update the Firehose Delivery Stream Destination Encryption for AWS DynamoDB:
import boto3
def remediate_firehose_encryption():
# Initialize the DynamoDB client
firehose_client = boto3.client('firehose')
# Specify the Firehose Delivery Stream name
delivery_stream_name = 'YOUR_DELIVERY_STREAM_NAME'
# Specify the KMS key ARN for encryption
kms_key_arn = 'YOUR_KMS_KEY_ARN'
# Update the Delivery Stream with the specified KMS key for encryption
response = firehose_client.update_destination(
DeliveryStreamName=delivery_stream_name,
CurrentDeliveryStreamVersionId='1',
DestinationId='destinationId',
ExtendedS3DestinationUpdate={
'EncryptionConfiguration': {
'KMSEncryptionConfig': {
'AWSKMSKeyARN': kms_key_arn
}
}
}
)
print('Firehose Delivery Stream Destination Encryption has been successfully updated.')
if __name__ == '__main__':
remediate_firehose_encryption()
-
Replace
'YOUR_DELIVERY_STREAM_NAME'with the name of your Firehose Delivery Stream and'YOUR_KMS_KEY_ARN'with the ARN of the KMS key you want to use for encryption. -
Run the Python script to update the Firehose Delivery Stream Destination Encryption for AWS DynamoDB.
By following these steps, you can successfully remediate the misconfiguration of Firehose Delivery Stream Destination Encryption for AWS DynamoDB using Python.