More Info:

Ensure that your Amazon Kinesis Data Firehose delivery streams are encrypted using Server-Side Encryption. It is recommended for added security to use KMS Customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys, in order to have full control over the encryption and decryption process and meet regulatory requirements. Amazon Kinesis Data Firehose is a fully managed service designed for real-time streaming data delivery to destinations such as Amazon S3, Amazon Redshift, Amazon ElasticSearch Service, and Splunk.

Risk Level

High

Address

Cost optimization, Operational Maturity, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using the AWS Management Console, follow these step-by-step instructions:
  1. Sign in to the AWS Management Console:
  2. Navigate to Amazon Kinesis Data Firehose:
    • In the AWS Management Console, search for “Kinesis” in the search bar at the top and select “Kinesis” under the Analytics section.
  3. Select the Firehose Delivery Stream:
    • Click on the “Delivery Streams” option on the left sidebar to view a list of your existing Firehose delivery streams.
    • Select the Firehose delivery stream that is connected to your DynamoDB table and requires server-side encryption.
  4. Enable Server-Side Encryption:
    • In the selected Firehose delivery stream details page, click on the “Edit” button to modify the settings.
    • Scroll down to the “Server-side encryption” section and select the option for “Enable server-side encryption.”
    • Choose the appropriate KMS key from the dropdown menu or create a new KMS key if necessary.
  5. Save Changes:
    • After enabling server-side encryption and selecting the KMS key, click on the “Save” button to apply the changes to the Firehose delivery stream.
  6. Verify Encryption Configuration:
    • Once the changes are saved, verify that server-side encryption is enabled for the Firehose delivery stream by checking the settings in the details page.
By following these steps, you will successfully remediate the misconfiguration by enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using the AWS Management Console.

To enable server-side encryption for an AWS Kinesis Data Firehstream using AWS CLI, follow these steps:
  1. Open the AWS CLI and run the following command to enable server-side encryption for the Firehose Delivery Stream:
aws firehose update-delivery-stream \
--delivery-stream-name YOUR_DELIVERY_STREAM_NAME \
--extended-s3-destination-update EncryptionConfiguration.Enabled=true,EncryptionConfiguration.KeyType=AWS_OWNED_CMK
Make sure to replace YOUR_DELIVERY_STREAM_NAME with the actual name of your Firehose Delivery Stream.
  1. Once the command is executed successfully, the server-side encryption will be enabled for the specified Firehose Delivery Stream using the AWS-owned Customer Master Key (CMK).
  2. You can verify the changes by describing the delivery stream using the following command: 
aws firehose describe-delivery-stream --delivery-stream-name YOUR_DELIVERY_STREAM_NAME
Look for the EncryptionConfiguration section in the output to confirm that server-side encryption is enabled.By following these steps, you can remediate the misconfiguration and enable server-side encryption for an AWS Kinesis Data Firehose Delivery Stream using AWS CLI.
To remediate the misconfiguration of enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using Python, follow these steps:
  1. Import the necessary libraries:
import boto3
  1. Initialize the AWS DynamoDB client:
dynamodb = boto3.client('dynamodb')
  1. Get the list of all the existing DynamoDB tables:
tables = dynamodb.list_tables()
  1. Iterate through each table and enable server-side encryption for the desired table:
for table_name in tables['TableNames']:
    response = dynamodb.update_table(
        TableName=table_name,
        SSESpecification={
            'Enabled': True,
            'SSEType': 'KMS'
        }
    )
    print(f"Server-side encryption enabled for table: {table_name}")
  1. Run the Python script to enable server-side encryption for all the DynamoDB tables.
By following these steps, you can remediate the misconfiguration of enabling Firehose Delivery Stream Server-Side Encryption for AWS DynamoDB using Python.

Additional Reading: