Search code examples
amazon-web-servicessecurityamazon-kinesis-firehose

Security in data from AWS Firehouse to S3


I want to secure my data in transit from AWS Firehose to S3. I can enable encryption for data at rest in S3 but how can I ensure data is encrypted while it is transferred from Firehose to S3 ? Also , I use Kinesis agent to put data from the web servers to Kinesis Firehose . Is there a way to encrypt data while in transit from web servers to Firehose ?


Solution

  • Data transfer between services will be using the https endpoint rather than http.

    You can ensure that data is transferred to your S3 bucket over HTTPS by by adding a bucket policy that will deny access for non HTTPS based requests such as that below.

    {
      "Id": "ExamplePolicy",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowSSLRequestsOnly",
          "Action": "s3:*",
          "Effect": "Deny",
          "Resource": [
            "arn:aws:s3:::awsexamplebucket",
            "arn:aws:s3:::awsexamplebucket/*"
          ],
          "Condition": {
            "Bool": {
              "aws:SecureTransport": "false"
            }
          },
          "Principal": "*"
        }
      ]
    }
    

    The agent again should be communicating over HTTPS to the service only, you can enforce this by removing access to port 80 from your security group or by blocking port 80 access in NACL (although this might be extreme).

    Additionally if using an EC2 instance add a VPC endpoint for the service(s) you'll be connecting to.