AWS Kinesis Firehose Delivery Streams are not encrypted with CMK
Description
This policy identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.
Code Example
go
resource "aws_kinesis_firehose_delivery_stream" "pass" {
name = "terraform-kinesis-firehose-test-stream"
destination = "s3"
s3_configuration {
role_arn = aws_iam_role.firehose_role.arn
bucket_arn = aws_s3_bucket.bucket.arn
}
server_side_encryption {
enabled=true #default is false
key_type = "CUSTOMER_MANAGED_CMK"
key_arn = aws_kms_key.example.arn
}
tags = {
test = "failed"
}
}Remediation
Terraform
- Resource: aws_kinesis_firehose_delivery_stream
- Arguments: s3_configuration.server_side_encryption.key_arn
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0289 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_241 |