AWS Certified Developer - Associate: Encrypting Data at Rest with Kinesis Firehose

Encrypting Data at Rest with Kinesis Firehose

Prev Question Next Question

Question

You are developing an application that will use Kinesis Firehose to stream the records onto the Simple Storage Service.

Your company policy mandates that all data needs to be encrypted at rest.

How can you achieve this with Kinesis Firehose? Choose 2 answers for the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and D.

This is given in the AWS Documentation.

Option A is correct because you can enable encryption ( encryption of data at rest ) for Kinesis Data Firehose.

Option D is correct because when Kinesis Streams are chosen as source, then encryption of data at rest is enabled automatically.

Options B and C are invalid because this is used for encrypting data in transit.

For more information on Data encryption with Kinesis Firehose, please refer to the below URL-

https://docs.aws.amazon.com/firehose/latest/dev/encryption.html

The correct answers to this question are A and C.

Kinesis Firehose is a managed service that allows you to capture, transform, and load streaming data into AWS services such as S3, Redshift, and Elasticsearch. To ensure that data is encrypted at rest when streamed through Kinesis Firehose, the following steps can be taken:

A. Enable Encryption on the Kinesis Data Firehose: Kinesis Firehose provides an option to enable Server-Side Encryption (SSE) using Amazon S3-Managed Keys (SSE-S3) or AWS Key Management Service (KMS) customer master keys (CMKs). When SSE-S3 is selected, Kinesis Firehose encrypts data at rest using S3-managed keys. When KMS CMKs are used, Kinesis Firehose encrypts the data using a customer-managed key that is stored in KMS.

C. Ensure that all data records are transferred via SSL: SSL/TLS is a protocol used to secure data in transit by providing encryption and authentication between clients and servers. When transferring data from Kinesis Data Firehose to S3, ensure that SSL/TLS is used to secure the data in transit. Kinesis Firehose supports SSL/TLS encryption for the delivery of data to S3.

B. Install an SSL certificate in Kinesis Data Firehose: Installing an SSL certificate in Kinesis Data Firehose is not a valid option because SSL certificates are not used to encrypt data at rest. SSL certificates only encrypt data in transit between clients and servers.

D. Ensure that Kinesis streams are used to transfer the data from the producers: Using Kinesis streams to transfer data from producers is not a valid option because Kinesis streams are a separate AWS service that provides real-time streaming data processing. Kinesis Firehose is designed for capturing and delivering streaming data to storage and analytics services.