Amazon Managed Service for Apache Flink was previously known as Amazon Kinesis Data Analytics for Apache Flink.
Data protection in Amazon Managed Service for Apache Flink
You can protect your data using tools that are provided by AWS. Managed Service for Apache Flink can work with services that support encrypting data, including Firehose, and Amazon S3.
Data encryption in Managed Service for Apache Flink
Encryption at rest
Note the following about encrypting data at rest with Managed Service for Apache Flink:
You can encrypt data on the incoming Kinesis data stream using StartStreamEncryption. For more information, see What Is Server-Side Encryption for Kinesis Data Streams?.
Output data can be encrypted at rest using Firehose to store data in an encrypted Amazon S3 bucket. You can specify the encryption key that your Amazon S3 bucket uses. For more information, see Protecting Data Using Server-Side Encryption with KMS–Managed Keys (SSE-KMS).
Managed Service for Apache Flink can read from any streaming source, and write to any streaming or database destination. Ensure that your sources and destinations encrypt all data in transit and data at rest.
Your application's code is encrypted at rest.
Durable application storage is encrypted at rest.
Running application storage is encrypted at rest.
Encryption in transit
Managed Service for Apache Flink encrypts all data in transit. Encryption in transit is enabled for all Managed Service for Apache Flink applications and cannot be disabled.
Managed Service for Apache Flink encrypts data in transit in the following scenarios:
Data in transit from Kinesis Data Streams to Managed Service for Apache Flink.
Data in transit between internal components within Managed Service for Apache Flink.
Data in transit between Managed Service for Apache Flink and Firehose.
Key management
Data encryption in Managed Service for Apache Flink uses service-managed keys. Customer-managed keys are not supported.
