Posted On: Jun 2, 2021

Amazon Kinesis Data Firehose now provides additional protection of sensitive data through customer-provided keys for server-side encryption (SSE) of delivery streams in Amazon Web Services China (Beijing) Region, operated by SINNET and Amazon Web Services China (Ningxia) Region, operated by NWCD. This feature is integrated with Amazon Key Management Service (KMS), which allows you to centrally manage keys that protect Kinesis Data Firehose delivery streams along with keys that protect your other Amazon Web Services resources.

When you ingest records to encrypted delivery streams, Amazon Kinesis Data Firehose immediately encrypts your messages. The encryption takes place on the server, using a 256-bit AES-GCM algorithm and a customer master key (CMK) issued by Amazon KMS. Kinesis Data Firehose now works with both customer-provided CMKs and Amazon-provided CMKs. The records are stored in encrypted form in multiple availability zones (AZs), and decrypted only as they are delivered to destinations like Amazon S3, Amazon Elasticsearch Service, Amazon Redshift. To learn more, visit Security in Amazon Kinesis Data Firehose.

There are no additional Kinesis Data Firehose charges for using this capability. You are only charged for Amazon KMS usage. For pricing details, visit Amazon KMS pricing.