AWS Kinesis Does Not Enforce Data-at-Rest Encryption


Amazon Kinesis Streams offer the capability to encrypt data-at-rest using AWS Key Management Service (KMS). If a Kinesis stream does not have data-at-rest encryption enabled, the data could be vulnerable to unauthorized access and might not adhere to certain compliance and regulatory standards.


1. Enable Encryption for Kinesis Stream:

AWS Management Console:
  • Navigate to the Kinesis service.
  • Select the desired stream.
  • In the Details section, find the Server-side encryption setting.
  • Click on the Edit button.
  • Set the Server-side encryption option to Enabled.
  • Choose the desired KMS key from the list or specify a custom key.
  • Save your changes.

Note: After you enable or modify server-side encryption settings for a stream, the update can take up to 5 minutes to complete.


To enable server-side encryption for an existing Kinesis stream:

aws kinesis start-stream-encryption --stream-name <YOUR-STREAM-NAME> --encryption-type KMS --key-id <YOUR-KMS-KEY-ID>

Replace <YOUR-STREAM-NAME> with your stream name and <YOUR-KMS-KEY-ID> with the desired KMS key ID.

resource "aws_kinesis_stream" "example" {
  name             = "example"
  shard_count      = 1
  retention_period = 24

  encryption_type = "KMS"
  kms_key_id      = aws_kms_key.example.arn

resource "aws_kms_key" "example" {
  description             = "example"
  deletion_window_in_days = 10

In this Terraform configuration, the Kinesis stream is encrypted using a custom KMS key.


Always enable server-side encryption for Kinesis streams to ensure the security of data-at-rest. Properly manage and rotate your KMS keys as per AWS best practices. Frequently review your Kinesis configurations to confirm encryption settings are as expected.