I am working with a Cloudformation stack and I have a pipeline Kinesis Stream ==> Kinesis Firehose ==> S3 Bucket. In the Kinesis Stream template, it lists a StreamEncryption field and says,
StreamEncryption
Enables or updates server-side encryption using an AWS KMS key for a specified stream.
where I bolded the statement in question.
Also, from here,
When you send data from your data producers to your Kinesis stream, the Kinesis Data Streams service encrypts your data using an AWS KMS key before storing it at rest. When your Kinesis Data Firehose delivery stream reads the data from your Kinesis stream, the Kinesis Data Streams service first decrypts the data and then sends it to Kinesis Data Firehose. Kinesis Data Firehose buffers the data in memory based on the buffering hints that you specify and then delivers it to your destinations without storing the unencrypted data at rest.
I want the records that ultimately end up in S3 to be encrypted using my KMS key such that a person with full access to my S3, but not KMS, would not be able to read the data.
Will this do that? If not, how do I get the data to reside "doubly" encrypted inside S3?
A hack, that is not a good solution, but works for now is to have Firehose do a Lambda Transform on the data, but encrypt and write the data out yourself from the Lambda.
Non ideal, but functional.