AWS Kinesis Does Not Enforce Data-at-Rest Encryption

Description:

Amazon Kinesis Streams offer the capability to encrypt data-at-rest using AWS Key Management Service (KMS). If a Kinesis stream does not have data-at-rest encryption enabled, the data could be vulnerable to unauthorized access and might not adhere to certain compliance and regulatory standards.

Remediation:

1. Enable Encryption for Kinesis Stream:

AWS Management Console:

Navigate to the Kinesis service.
Select the desired stream.
In the Details section, find the Server-side encryption setting.
Click on the Edit button.
Set the Server-side encryption option to Enabled.
Choose the desired KMS key from the list or specify a custom key.
Save your changes.

Note: After you enable or modify server-side encryption settings for a stream, the update can take up to 5 minutes to complete.

AWS CLI:

To enable server-side encryption for an existing Kinesis stream:

aws kinesis start-stream-encryption --stream-name <YOUR-STREAM-NAME> --encryption-type KMS --key-id <YOUR-KMS-KEY-ID>

Replace <YOUR-STREAM-NAME> with your stream name and <YOUR-KMS-KEY-ID> with the desired KMS key ID.

Terraform:

resource "aws_kinesis_stream" "example" {
  name             = "example"
  shard_count      = 1
  retention_period = 24

  encryption_type = "KMS"
  kms_key_id      = aws_kms_key.example.arn
}

resource "aws_kms_key" "example" {
  description             = "example"
  deletion_window_in_days = 10
}

In this Terraform configuration, the Kinesis stream is encrypted using a custom KMS key.

Recommendation:

Always enable server-side encryption for Kinesis streams to ensure the security of data-at-rest. Properly manage and rotate your KMS keys as per AWS best practices. Frequently review your Kinesis configurations to confirm encryption settings are as expected.

Updated 5 months ago