Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 1 Firehose delivery streams should be encrypted at rest

Description

This control checks whether an Amazon Data Firehose delivery stream is encrypted at rest with server-side encryption. This control fails if a Firehose delivery stream isn't encrypted at rest with server-side encryption.

Server-side encryption is a feature in Amazon Data Firehose delivery streams that automatically encrypts data before it's at rest by using a key created in AWS Key Management Service (AWS KMS). Data is encrypted before it's written to the Data Firehose stream storage layer, and decrypted after it’s retrieved from storage. This allows you to comply with regulatory requirements and enhance the security of your data.

Remediation

To enable server-side encryption on Firehose delivery streams, see Data Protection in Amazon Data Firehose in the Amazon Data Firehose Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_datafirehose_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_datafirehose_1 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then 'ok'
    else 'alarm'
  end as status,
  case
    when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then title || ' server side encryption enabled.'
    else title || ' server side encryption disabled.'
  end as reason
  
  , region, account_id
from
  aws_kinesis_firehose_delivery_stream;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = datafirehose_1
plugin = aws
service = AWS/DataFirehose