Amazon Kinesis Data Firehose Adds Support For Customer-Provided Keys for Server-Side Encryption

Posted on: Nov 26, 2019

Amazon Kinesis Data Firehose now provides additional protection of sensitive data through customer-provided keys for server-side encryption (SSE) of delivery streams. This feature is integrated with AWS Key Management Service (KMS), which allows you to centrally manage keys that protect Kinesis Data Firehose delivery streams along with keys that protect your other AWS resources.

When you ingest records to encrypted delivery streams, Amazon Kinesis Data Firehose immediately encrypts your messages. The encryption takes place on the server, using a 256-bit AES-GCM algorithm and a customer master key (CMK) issued by AWS KMS. Kinesis Data Firehose now works with both customer-provided CMKs and AWS-provided CMKs. The records are stored in encrypted form in multiple availability zones (AZs), and decrypted only as they are delivered to destinations like Amazon S3, Amazon Elasticsearch Service, Amazon Redshift and Splunk. To learn more, visit Security in Amazon Kinesis Data Firehose.

This capability is now available in all AWS Regions where Amazon Kinesis Data Firehose is available. There are no additional Kinesis Data Firehose charges for using this capability. You are only charged for AWS KMS usage. For pricing details, visit AWS KMS pricing.