Posted On: Nov 26, 2019
Amazon Kinesis Data Firehose now provides additional protection of sensitive data through customer-provided keys for server-side encryption (SSE) of delivery streams. This feature is integrated with AWS Key Management Service (KMS), which allows you to centrally manage keys that protect Kinesis Data Firehose delivery streams along with keys that protect your other AWS resources.
When you ingest records to encrypted delivery streams, Amazon Kinesis Data Firehose immediately encrypts your messages. The encryption takes place on the server, using a 256-bit AES-GCM algorithm and a customer master key (CMK) issued by AWS KMS. Kinesis Data Firehose now works with both customer-provided CMKs and AWS-provided CMKs. The records are stored in encrypted form in multiple availability zones (AZs), and decrypted only as they are delivered to destinations like Amazon S3, Amazon Elasticsearch Service, Amazon Redshift and Splunk. To learn more, visit Security in Amazon Kinesis Data Firehose.