I am building an architecture in which real-time data will be ingested into the kinesis firehose using kinesis agent. My data source is on-premise so it requires that the data should be encrypted in-transit. Which protocol is used while data is moved using agent to firehose? Any idea on how to move data securely? Any help is greatly appreciated.
Both Kinesis Streams and Firehose AWS endpoints use only HTTPS as explained here and here. Thus by injecting your records to the Stream or Firehouse you must use HTTPS which provides encryption in transit. If this is not enough you could establish a VPN connection between on-premises and your VPC, or even use fully dedicated connection by means of direct connect.
For server side encryption in Firehose, you can refer to the following: