AWS::KinesisFirehose::DeliveryStream DeliveryStreamEncryptionConfigurationInput - Amazon CloudFormation
SyntaxProperties
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::KinesisFirehose::DeliveryStream DeliveryStreamEncryptionConfigurationInput

Specifies the type and Amazon Resource Name (ARN) of the CMK to use for Server-Side Encryption (SSE).

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "KeyARN" : String,
  "KeyType" : String
}

YAML

  KeyARN: String
  KeyType: String

Properties

KeyARN

If you set KeyType to CUSTOMER_MANAGED_CMK, you must specify the Amazon Resource Name (ARN) of the CMK. If you set KeyType to Amazon_OWNED_CMK, Firehose uses a service-account CMK.

Required: No

Type: String

Pattern: arn:.*

Minimum: 1

Maximum: 512

Update requires: No interruption

KeyType

Indicates the type of customer master key (CMK) to use for encryption. The default setting is AWS_OWNED_CMK. For more information about CMKs, see Customer Master Keys (CMKs).

You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500 delivery streams.

Important

To encrypt your delivery stream, use symmetric CMKs. Kinesis Data Firehose doesn't support asymmetric CMKs. For information about symmetric and asymmetric CMKs, see About Symmetric and Asymmetric CMKs in the Amazon Key Management Service developer guide.

Required: Yes

Type: String

Allowed values: AWS_OWNED_CMK | CUSTOMER_MANAGED_CMK

Update requires: No interruption