Encrypting AWS Kinesis Firehose Source Data Stream for S3 - Best Practices and Options

How to Encrypt AWS Kinesis Firehose Source Data Stream for S3

Q: A company is planning on using AWS Kinesis firehose to stream their log files onto S3They need to ensure that source data stream for firehorse is encrypted.How can they achieve this? Choose 2 options.

Use Kinesis data streams as a source.Enable encryption at rest in Kinesis Firehose

Prev Question Next Question

Question

A company is planning on using AWS Kinesis firehose to stream their log files onto S3

They need to ensure that source data stream for firehorse is encrypted.

How can they achieve this? Choose 2 options.

Answers

A. Use Kinesis data streams as a source.

B. Enable encryption at rest in Kinesis Firehose

C. Enable server-side encryption for S3 using AWS Managed Keys

D. Enable server-side encryption for S3 using KMS Keys.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and B.

The AWS Documentation mentions the following.

If you have sensitive data, you can enable server-side data encryption when you use Amazon Kinesis Data Firehose.

But you can only do this if you use a Kinesis data stream as your data source.

When you configure a Kinesis data stream as the data source of a Kinesis Data Firehose delivery stream, Kinesis Data Firehose no longer stores the data at rest.

Instead, the data is stored in the data stream.

When you send data from your data producers to your Kinesis data stream, Kinesis Data Streams encrypts your data using an AWS KMS key before storing it at rest.

When your Kinesis Data Firehose delivery stream reads the data from your Kinesis stream, Kinesis Data Streams first decrypts the data and then sends it to Kinesis Data Firehose.

Options C and D are incorrect since the encryption needs to be done at the stream level as per the requirement.

For more information on Firehose encryption, please visit the url.

https://docs.aws.amazon.com/firehose/latest/dev/encryption.html

Using Server-Side Encryption with Amazon Kinesis Data Firehose

If you have sensitive data, you can enable server-side data encryption when you use Amazon Kinesis Data Firehose. How
you do this depends on the source of your data.

Server-Side Encryption with Kinesis Data Streams as the Data Source

When you configure a Kinesis data stream as the data source of a Kinesis Data Firehose delivery stream, Kinesis Data
Firehose no longer stores the data at rest. Instead, the data is stored in the data stream.

When you send data from your data producers to your data stream, Kinesis Data Streams encrypts your data using an
AWS Key Management Service (AWS KMS) key before storing the data at rest. When your Kinesis Data Firehose delivery
stream reads the data from your data stream, Kinesis Data Streams first decrypts the data and then sends it to Kinesis
Data Firehose. Kinesis Data Firehose buffers the data in memory based on the buffering hints that you specify. It then
delivers it to your destinations without storing the unencrypted data at rest.

For information about how to enable server-side encryption for Kinesis Data Streams, see Using Server-Side Encryption in
the Amazon Kinesis Data Streams Developer Guide.

Server-Side Encryption with Direct PUT or Other Data Sources

If you send data to your delivery stream using PutRecord or PutRecordBatch, or if you send the data using AWS loT,
Amazon CloudWatch Logs, or CloudWatch Events, you can turn on server-side encryption by using the
StartDeliveryStreamEncryption operation.

To ensure that source data stream for Kinesis Firehose is encrypted, there are two possible ways to achieve it:

Option A: Use Kinesis data streams as a source. Kinesis Data Streams is an AWS service that allows you to collect and process large streams of data records in real-time. It provides encryption for data in transit by default. By using Kinesis Data Streams as a source for Kinesis Firehose, the data will be encrypted while it's being transferred from Kinesis Data Streams to Kinesis Firehose. This will ensure that the source data stream for Kinesis Firehose is encrypted.

Option B: Enable encryption at rest in Kinesis Firehose. Kinesis Firehose allows you to enable server-side encryption for data at rest using AWS Key Management Service (KMS). By enabling encryption at rest in Kinesis Firehose, the data that is stored in Amazon S3 is encrypted. This will ensure that the source data stream for Kinesis Firehose is encrypted.

In addition to the above two options, two other options were provided in the question, which are not correct for the asked requirements:

Option C: Enable server-side encryption for S3 using AWS Managed Keys. This option will only encrypt the data stored in Amazon S3, and it will not ensure that the source data stream for Kinesis Firehose is encrypted.

Option D: Enable server-side encryption for S3 using KMS Keys. This option is similar to Option C but provides encryption using KMS Keys. It also only encrypts the data stored in Amazon S3, and it will not ensure that the source data stream for Kinesis Firehose is encrypted.

Therefore, the correct answers are options A and B.

Prev Question Next Question