Identify and alert when Amazon Data Firehose resources are not encrypted with an AWS KMS key
Ram Kandaswamy, Amazon Web Services
Summary
For compliance, some organizations must have encryption enabled on data delivery resources such as Amazon Data Firehose. This pattern shows a way to monitor, detect, and notify when resources are out of compliance.
To maintain the encryption requirement, this pattern can be used on AWS to provide automated monitoring and detection of Amazon Data Firehose delivery resources that aren’t encrypted with an AWS Key Management Service (AWS KMS) key. The solution sends alert notifications, and it can be extended to perform automatic remediation. This solution can be applied to an individual account or a multiple-account environment, such as an environment that uses an AWS landing zone or AWS Control Tower.
Prerequisites and limitations
Prerequisites
Amazon Data Firehose delivery stream
Sufficient permissions and familiarity with AWS CloudFormation, which is used in this infrastructure automation
Limitations
The solution is not real time because it uses AWS CloudTrail events for detection, and there is a delay between the time an unencrypted resource is created and the notification is sent.
Architecture
Target technology stack
The solution uses serverless technology and the following services:
AWS CloudTrail
Amazon CloudWatch
AWS Command Line Interface (AWS CLI)
AWS Identity and Access Management (IAM)
Amazon Data Firehose
AWS Lambda
Amazon Simple Notification Service (Amazon SNS)
Target architecture
The diagram illustrates these steps:
A user creates or modifies Amazon Data Firehose.
A CloudTrail event is detected and matched.
Lambda is invoked.
Non-compliant resources are identified.
Email notification is sent.
Automation and scale
You can use AWS CloudFormation StackSets to apply this solution to multiple AWS Regions or accounts with a single command.
Tools
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS CLI, AWS SDKs, and API operations.
Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources.
AWS Command Line Interface (AWS CLI) is an open source tool that enables you to interact with AWS services by using commands in your command line shell.
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
Amazon Data Firehose is a fully managed service for delivering real-time streaming data. With Firehose, you don't have to write applications or manage resources. You configure your data producers to send data to Firehose, and it automatically delivers the data to the destination that you specified.
AWS Lambda is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time that you consume—there is no charge when your code isn’t running.
Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers).
Epics
| Task | Description | Skills required |
|---|---|---|
Deploy AWS CloudFormation StackSets. | In the AWS CLI, use the
| Cloud architect, Systems administrator |
Create stack instances. | Stacks can be created in the AWS Regions of your choice as well as in one or more accounts. To create stack instances, run the following command. Replace the stack name, account numbers, and Regions with your own.
| Cloud architect, Systems administrator |
Related resources
Attachments
To access additional content that is associated with this document, unzip the following file: attachment.zip
