I was looking at the roles and policies created by AWS automatically for you for Kinesis Firehose and I saw it includes KMS: Decrypt. Firehose is used to ingest large amounts of data in S3. The data is not necessary encrypted from the producer so why is it necessary? Thank you!
Did you enable server-side data encryption? That might be the reason for seeing that.