When creating an encrypted kinesis stream in AWS, what does %FIREHOSE_POLICY_TEMPLATE_PLACEHOLDER% mean?

Question

I'm in an environment with pretty strict security controls, trying to debug stream architecture created with terraform. At present, the logs aren't working ( I think that's because I got the ARN wrong for the logs ), but one of the lines for the autogenerated policy when an encrypted stream is created (using AWS service encryption, ie, alias/aws/kinesis) -- has a line with an ARN that includes the literal string %FIREHOSE_POLICY_TEMPLATE_PLACEHOLDER% :

    {
        "Sid": "",
        "Effect": "Allow",
        "Action": [
            "logs:PutLogEvents"
        ],
        "Resource": [
            "arn:aws:logs:us-east-1:$awsAccount:log-group:/aws/kinesisfirehose/KDS-S3-Q8seN:log-stream:*",
            "arn:aws:logs:us-east-1:$awsAccount:log-group:%FIREHOSE_POLICY_TEMPLATE_PLACEHOLDER%:log-stream:*"
        ]
    },

( Where $awsAccount is substituted for the actual account number, but where %FIREHOSE_POLICY_TEMPLATE_PLACEHOLDER% is literal. )

This same string also finds itself in other clauses and arns, such as this:

 "StringLike": {
                "kms:EncryptionContext:aws:s3:arn": [
                    "arn:aws:s3:::%FIREHOSE_POLICY_TEMPLATE_PLACEHOLDER%/*",
                    "arn:aws:s3:::%FIREHOSE_POLICY_TEMPLATE_PLACEHOLDER%"
                ]
            }

Can someone tell me what this does, and if the policy is meant to work with that string as is, or if I need to provide a value for it, somehow?

Answer 1

It seems like Kinesis will create a Role + Policy that originates from a generic template. Depending on you config, some of these placeholders will be filled in, while others left alone (that's the one you see). These placeholders can be removed.

Source.