AWS Kinesis Server without customer managed keys will leave the data in plain state. customer managed keys will encrypted the data and will be refreshed after every 365 days.
In Terraform -
References:
https://docs.aws.amazon.com/firehose/latest/dev/encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream#server_side_encryption