Class: Aws::Firehose::Types::DeliveryStreamEncryptionConfigurationInput

Inherits:

Struct

• Object
• Struct
• Aws::Firehose::Types::DeliveryStreamEncryptionConfigurationInput

Includes:

Structure

Defined in:

lib/aws-sdk-firehose/types.rb

Overview

Specifies the type and Amazon Resource Name (ARN) of the CMK to use for Server-Side Encryption (SSE).

See Also:

• AWS API Documentation

Constant Summary

SENSITIVE =

[]

Instance Attribute Summary

• #key_arn ⇒ String

  If you set ‘KeyType` to `CUSTOMER_MANAGED_CMK`, you must specify the Amazon Resource Name (ARN) of the CMK.

• #key_type ⇒ String

  Indicates the type of customer master key (CMK) to use for encryption.

Instance Attribute Details

#key_arn ⇒ String

If you set ‘KeyType` to `CUSTOMER_MANAGED_CMK`, you must specify the Amazon Resource Name (ARN) of the CMK. If you set `KeyType` to `Amazon Web Services_OWNED_CMK`, Firehose uses a service-account CMK.

Returns:

• (String)

# File 'lib/aws-sdk-firehose/types.rb', line 1432

class DeliveryStreamEncryptionConfigurationInput < Struct.new(
  :key_arn,
  :key_type)
  SENSITIVE = []
  include Aws::Structure
end

#key_type ⇒ String

Indicates the type of customer master key (CMK) to use for encryption. The default setting is ‘Amazon Web Services_OWNED_CMK`. For more information about CMKs, see [Customer Master Keys (CMKs)]. When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption with `KeyType` set to CUSTOMER_MANAGED_CMK, Firehose invokes the Amazon KMS operation

CreateGrant][2

to create a grant that allows the Firehose service

to use the customer managed CMK to perform encryption and decryption. Firehose manages that grant.

When you invoke StartDeliveryStreamEncryption to change the CMK for a Firehose stream that is encrypted with a customer managed CMK, Firehose schedules the grant it had on the old CMK for retirement.

You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500 Firehose streams. If a CreateDeliveryStream or StartDeliveryStreamEncryption operation exceeds this limit, Firehose throws a ‘LimitExceededException`.

To encrypt your Firehose stream, use symmetric CMKs. Firehose doesn’t support asymmetric CMKs. For information about symmetric and asymmetric CMKs, see [About Symmetric and Asymmetric CMKs] in the Amazon Web Services Key Management Service developer guide.

[1]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys [2]: docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html [3]: docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html

Returns:

• (String)

# File 'lib/aws-sdk-firehose/types.rb', line 1432

class DeliveryStreamEncryptionConfigurationInput < Struct.new(
  :key_arn,
  :key_type)
  SENSITIVE = []
  include Aws::Structure
end