Merge pull request #2079 from AkhtarAmir/setEncryptionDefault-awskms

updated the default encryption level to awskms for aws encryption plu…
aquasecurity · Sep 18, 2024 · 90cff06 · 90cff06
2 parents 6a27334 + e92a6ff
commit 90cff06
Show file tree

Hide file tree

Showing 72 changed files with 82 additions and 82 deletions.
diff --git a/plugins/aws/apprunner/serviceEncrypted.js b/plugins/aws/apprunner/serviceEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: ' App Runner service desired Encryption level',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['apprunner:CreateService','apprunner:DeleteService'],

diff --git a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'Audit Manager Data Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk',
+            default: 'awskms',
         }
     },
     realtime_triggers: ['auditmanager:registerAccount','auditmanager:UpdateSettings','auditmanager:DeregisterAccount'],

diff --git a/plugins/aws/auditmanager/auditmanagerDataEncrypted.spec.js b/plugins/aws/auditmanager/auditmanagerDataEncrypted.spec.js
@@ -98,7 +98,7 @@ describe('auditmanagerDataEncrypted', function () {
 
         it('should FAIL if Audit Manager data is not encrypted with desired encryption level', function (done) {
             const cache = createCache(getSettings, listKeys, describeKey[1]);
-            auditmanagerDataEncrypted.run(cache, {}, (err, results) => {
+            auditmanagerDataEncrypted.run(cache, {auditmanager_data_encryption_level: 'awscmk'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 expect(results[0].region).to.equal('us-east-1');

diff --git a/plugins/aws/backup/backupVaultEncrypted.js b/plugins/aws/backup/backupVaultEncrypted.js
@@ -16,7 +16,7 @@ module.exports = {
             name: 'CodeArtifact Domain Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk',
+            default: 'awskms',
         }
     },
     realtime_triggers: ['backup:CreateBackupVault','backup:DeleteBackupVault'],

diff --git a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js
@@ -18,7 +18,7 @@ module.exports = {
             name: 'CloudWatch Log Groups Target Ecryption Level',
             description: 'In order (lowest to highest) awskms=AWS managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         },
         cloudwatchlog_whitelist: {
             name: 'Lambda Functions Whitelisted',

diff --git a/plugins/aws/codeartifact/codeartifactDomainEncrypted.js b/plugins/aws/codeartifact/codeartifactDomainEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'CodeArtifact Domain Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk',
+            default: 'awskms',
         }
     },
     realtime_triggers: ['codeartifact:CreateDomain', 'codeartifact:DeleteDomain'],

diff --git a/plugins/aws/codeartifact/codeartifactDomainEncrypted.spec.js b/plugins/aws/codeartifact/codeartifactDomainEncrypted.spec.js
@@ -101,7 +101,7 @@ describe('codeartifactDomainEncrypted', function () {
 
         it('should FAIL if CodeArtifact domain is not encrypted with desired encyption level', function (done) {
             const cache = createCache(listDomains, listKeys, describeKey[1]);
-            codeartifactDomainEncrypted.run(cache, {}, (err, results) => {
+            codeartifactDomainEncrypted.run(cache, {codeartifact_domain_encryption_level:'awscmk'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 expect(results[0].region).to.equal('us-east-1');

diff --git a/plugins/aws/codebuild/projectArtifactsEncrypted.js b/plugins/aws/codebuild/projectArtifactsEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'Project Artifacts Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk',
+            default: 'awskms',
         }
     },
     realtime_triggers: ['codebuild:CreateProject', 'codebuild:UpdateProject','codebuild:DeleteProject'],

diff --git a/plugins/aws/codebuild/projectArtifactsEncrypted.spec.js b/plugins/aws/codebuild/projectArtifactsEncrypted.spec.js
@@ -158,7 +158,7 @@ describe('projectArtifactsEncrypted', function () {
 
         it('should FAIL if CodeBuild project artifact is not encrypted with desired encryption level', function (done) {
             const cache = createCache(listProjects, listKeys, batchGetProjects[1], describeKey[1]);
-            projectArtifactsEncrypted.run(cache, { projects_artifact_desired_encryption_level: 'awscmk' }, (err, results) => {
+            projectArtifactsEncrypted.run(cache, { project_artifacts_desired_encryption_level: 'awscmk' }, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 expect(results[0].region).to.equal('us-east-1');

diff --git a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js
@@ -18,7 +18,7 @@ module.exports = {
             name: 'Pipeline Artifacts Desired Encrypted Level',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['codepipeline:CreatePipeline','codepipeline:DeletePipeline'],

diff --git a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.spec.js b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.spec.js
@@ -135,7 +135,7 @@ describe('pipelineArtifactsEncrypted', function () {
     describe('run', function () {
         it('should PASS if Pipeline Artifacts is encrypted with desired encryption level', function (done) {
             const cache = createCache([listPipelines[0]], listKeys, listAliases, getPipeline[0], describeKey[0]);
-            pipelineArtifactsEncrypted.run(cache, { pipeline_artifacts_encryption : 'awscmk' }, (err, results) => {
+            pipelineArtifactsEncrypted.run(cache, { pipeline_artifacts_desired_encryption_level : 'awscmk' }, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(0);
                 expect(results[0].region).to.equal('us-east-1');
@@ -145,7 +145,7 @@ describe('pipelineArtifactsEncrypted', function () {
 
         it('should FAIL if Pipeline Artifacts not encrypted with desired encryption level', function (done) {
             const cache = createCache([listPipelines[0]], listKeys, listAliases, getPipeline[0], describeKey[1]);
-            pipelineArtifactsEncrypted.run(cache, { pipeline_artifacts_encryption : 'awscmk' }, (err, results) => {
+            pipelineArtifactsEncrypted.run(cache, { pipeline_artifacts_desired_encryption_level : 'awscmk' }, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 expect(results[0].region).to.equal('us-east-1');

diff --git a/plugins/aws/connect/customerProfilesDomainEncrypted.js b/plugins/aws/connect/customerProfilesDomainEncrypted.js
@@ -16,7 +16,7 @@ module.exports = {
             name: 'Connect Customer Profiles Encrypted',
             description: 'In order (lowest to highest) awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['customerprofiles:CreateDomain', 'customerprofiles:UpdateDomain', 'customerprofile:DeleteDomain'],

diff --git a/plugins/aws/connect/instanceAttachmentsEncrypted.js b/plugins/aws/connect/instanceAttachmentsEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'Connect Attachments Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig', 'connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'],

diff --git a/plugins/aws/connect/instanceAttachmentsEncrypted.spec.js b/plugins/aws/connect/instanceAttachmentsEncrypted.spec.js
@@ -136,7 +136,7 @@ describe('instanceAttachmentsEncrypted', function () {
     describe('run', function () {
         it('should FAIL if Connect instance is not using desired encryption level', function (done) {
             const cache = createCache(listInstances, instanceAttachmentStorageConfigs[0], listKeys, describeKey[1]);
-            instanceAttachmentsEncrypted.run(cache, {}, (err, results) => {
+            instanceAttachmentsEncrypted.run(cache, {connect_attachments_encryption_level : 'awscmk'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 done();

diff --git a/plugins/aws/connect/instanceCallRecordingEncrypted.js b/plugins/aws/connect/instanceCallRecordingEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'Connect Call Resording Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig','connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'],

diff --git a/plugins/aws/connect/instanceCallRecordingEncrypted.spec.js b/plugins/aws/connect/instanceCallRecordingEncrypted.spec.js
@@ -136,7 +136,7 @@ describe('instanceCallRecordingEncrypted', function () {
     describe('run', function () {
         it('should FAIL if Connect instance is not using desired encryption level', function (done) {
             const cache = createCache(listInstances, listInstanceCallRecordingStorageConfigs[0], listKeys, describeKey[1]);
-            instanceCallRecordingEncrypted.run(cache, {}, (err, results) => {
+            instanceCallRecordingEncrypted.run(cache, {connect_call_recording_encryption_level: 'awscmk'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 done();

diff --git a/plugins/aws/connect/instanceMediaStreamsEncrypted.js b/plugins/aws/connect/instanceMediaStreamsEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'Connect Media Streams Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig','connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'],

diff --git a/plugins/aws/connect/instanceMediaStreamsEncrypted.spec.js b/plugins/aws/connect/instanceMediaStreamsEncrypted.spec.js
@@ -142,7 +142,7 @@ describe('instanceMediaStreamsEncrypted', function () {
     describe('run', function () {
         it('should FAIL if Connect instance is not using desired encryption level', function (done) {
             const cache = createCache(listInstances, listInstanceMediaStreamStorageConfigs[0], listKeys, describeKey[1]);
-            instanceMediaStreamsEncrypted.run(cache, {}, (err, results) => {
+            instanceMediaStreamsEncrypted.run(cache, {connect_media_streams_encryption_level: 'awscmk'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 done();

diff --git a/plugins/aws/connect/instanceReportsEncrypted.js b/plugins/aws/connect/instanceReportsEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'Connect Exported Reports Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig','connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'],

diff --git a/plugins/aws/connect/instanceReportsEncrypted.spec.js b/plugins/aws/connect/instanceReportsEncrypted.spec.js
@@ -136,7 +136,7 @@ describe('instanceReportsEncrypted', function () {
     describe('run', function () {
         it('should FAIL if Connect instance is not using desired encryption level', function (done) {
             const cache = createCache(listInstances, listInstanceExportedReportStorageConfigs[0], listKeys, describeKey[1]);
-            instanceReportsEncrypted.run(cache, {}, (err, results) => {
+            instanceReportsEncrypted.run(cache, {connect_exported_reports_encryption_level : 'awscmk'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 done();

diff --git a/plugins/aws/connect/instanceTranscriptsEncrypted.js b/plugins/aws/connect/instanceTranscriptsEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'Connect Chat Transcripts Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig','connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'],

diff --git a/plugins/aws/connect/instanceTranscriptsEncrypted.spec.js b/plugins/aws/connect/instanceTranscriptsEncrypted.spec.js
@@ -136,7 +136,7 @@ describe('instanceTranscriptsEncrypted', function () {
     describe('run', function () {
         it('should FAIL if Connect instance is not using desired encryption level', function (done) {
             const cache = createCache(listInstances, listInstanceChatTranscriptStorageConfigs[0], listKeys, describeKey[1]);
-            instanceTranscriptsEncrypted.run(cache, {}, (err, results) => {
+            instanceTranscriptsEncrypted.run(cache, {connect_chat_transcripts_encryption_level: 'awscmk'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 done();

diff --git a/plugins/aws/documentDB/docdbClusterEncrypted.js b/plugins/aws/documentDB/docdbClusterEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'DocumentDB Cluster Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk',
+            default: 'awskms',
         }
     },
     realtime_triggers: ['docdb:CreateDBCluster','docdb:CreateDBInstance','docdb:DeleteDBCluster'],

diff --git a/plugins/aws/ec2/ebsEncryptionEnabled.js b/plugins/aws/ec2/ebsEncryptionEnabled.js
@@ -55,7 +55,7 @@ module.exports = {
             name: 'EBS Minimum Encryption Level at rest',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk',
+            default: 'awskms',
         },
 
     },

diff --git a/plugins/aws/ecr/ecrRepositoryEncrypted.js b/plugins/aws/ecr/ecrRepositoryEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'ECR Repository Encryption',
             description: 'In order (lowest to highest) sse=AES-256; awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(sse|awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['ecr:CreateRepository', 'ecr:DeleteRepository'],

diff --git a/plugins/aws/elasticache/redisClusterEncryptionAtRest.js b/plugins/aws/elasticache/redisClusterEncryptionAtRest.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'ElastiCache Cluster Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk',
+            default: 'awskms',
         }
     },
     realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:CreateReplicationGroup'],

diff --git a/plugins/aws/elasticache/redisClusterEncryptionAtRest.spec.js b/plugins/aws/elasticache/redisClusterEncryptionAtRest.spec.js
@@ -219,7 +219,7 @@ describe('redisClusterEncryptionAtRest', function () {
     describe('run', function () {
         it('should PASS if Redis Cluster at-rest is encrypted with desired encryption level', function (done) {
             const cache = createCache(describeCacheClusters[0], listKeys, describeReplicationGroups[0], describeKey[0]);
-            redisClusterEncryptionAtRest.run(cache, { ec_atrest_desired_encryption_level: 'awscmk' }, (err, results) => {
+            redisClusterEncryptionAtRest.run(cache, { ec_cluster_target_encryption_level: 'awscmk' }, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(0);
                 expect(results[0].region).to.equal('us-east-1');
@@ -229,7 +229,7 @@ describe('redisClusterEncryptionAtRest', function () {
 
         it('should FAIL if Redis Cluster at-rest is not encrypted with desired encryption level', function (done) {
             const cache = createCache([describeCacheClusters[1]],listKeys, describeReplicationGroups[1], describeKey[1]);
-            redisClusterEncryptionAtRest.run(cache, { ec_atrest_desired_encryption_level: 'awscmk' }, (err, results) => {
+            redisClusterEncryptionAtRest.run(cache, { ec_cluster_target_encryption_level: 'awscmk' }, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 expect(results[0].region).to.equal('us-east-1');

diff --git a/plugins/aws/firehose/deliveryStreamEncrypted.js b/plugins/aws/firehose/deliveryStreamEncrypted.js
@@ -17,7 +17,7 @@ module.exports = {
             name: 'Firehose Delivery Stream Target Encryption Level',
             description: 'In order (lowest to highest) awskms=AWS managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS',
             regex: '^(awskms|awscmk|externalcmk|cloudhsm)$',
-            default: 'awscmk'
+            default: 'awskms'
         }
     },
     realtime_triggers: ['firehose:CreateDeliveryStreams','firehose:UpdateDestination', 'firehose:DeleteliveryStreams'],

diff --git a/plugins/aws/firehose/deliveryStreamEncrypted.spec.js b/plugins/aws/firehose/deliveryStreamEncrypted.spec.js
@@ -308,15 +308,15 @@ describe('deliveryStreamEncrypted', function () {
             deliveryStreamEncrypted.run(cache, {}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(0);
-                expect(results[0].message).to.include('Firehose delivery stream destination bucket is encrypted with awscmk');
+                expect(results[0].message).to.include('Firehose delivery stream is encrypted with awskms');
                 expect(results[0].region).to.equal('us-east-1');
                 done();
             });
         });
 
         it('should FAIL if Firehose Delivery Stream not encrypted with desired encryption level', function (done) {
             const cache = createCache([listDeliveryStreams[0]], listKeys, describeDeliveryStream[1], describeKey[1]);
-            deliveryStreamEncrypted.run(cache, {}, (err, results) => {
+            deliveryStreamEncrypted.run(cache, {delivery_stream_desired_encryption_level:  'awscmk'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(2);
                 expect(results[0].message).to.include('Firehose delivery stream destination bucket is encrypted with awskms');