AWS Kinesis Does Not Enforce Data-at-Rest Encryption using CMK

Description:

AWS Kinesis is a powerful streaming data service that handles large-scale real-time data ingestion and processing. While Kinesis offers data encryption at rest, it defaults to using AWS-managed keys. For enhanced security and control, it's advisable to use a Customer Master Key (CMK) for encryption. Not using a CMK for data-at-rest encryption in AWS Kinesis can lead to reduced control over data access and less detailed auditing, posing potential compliance and security risks.

Remediation:

1. Enabling CMK Encryption for New AWS Kinesis Streams:

AWS Management Console:
  • Go to the Amazon Kinesis console.
  • Click "Create data stream" or "Create Kinesis stream".
  • In the "Set details" step, find the "Encryption" section.
  • Select "Enable" for encryption.
  • Choose "Customer managed CMK" and select your CMK from the dropdown or create a new one.
  • Complete the setup by configuring the rest of the stream settings and click "Create".
AWS CLI:
aws kinesis create-stream --stream-name YourStreamName --shard-count 1 --stream-encryption-enabled --encryption-type KMS --key-id arn:aws:kms:region:account-id:key/your-cmk-id
Terraform:
  • Define the AWS Kinesis stream resource in your Terraform configuration.
  • Add the encryption_type and kms_key_id attributes to enable CMK encryption.
resource "aws_kinesis_stream" "example" {
  name             = "example-stream"
  shard_count      = 1
  encryption_type  = "KMS"
  kms_key_id       = "arn:aws:kms:region:account-id:key/your-cmk-id"
}

2. Updating Existing AWS Kinesis Streams to Use CMK Encryption:

AWS Management Console:
  • Navigate to the Amazon Kinesis console.
  • Select your existing Kinesis stream.
  • In the stream details page, click "Update".
  • In the "Encryption" section, change to "Customer managed CMK" and select your CMK.
  • Save the changes.
AWS CLI:
aws kinesis start-stream-encryption --stream-name YourExistingStreamName --encryption-type KMS --key-id arn:aws:kms:region:account-id:key/your-cmk-id
Terraform:
  • Update the encryption_type and kms_key_id attributes in your existing Terraform Kinesis stream resource.
resource "aws_kinesis_stream" "example" {
  name             = "example-stream"
  encryption_type  = "KMS"
  kms_key_id       = "arn:aws:kms:region:account-id:key/your-cmk-id"
}

3. Monitor and Audit:

AWS Management Console:
  • Use AWS Config to monitor Kinesis streams for CMK encryption compliance.
  • Regularly review AWS CloudTrail logs for key usage and access patterns.
AWS CLI:
  • Utilize AWS Config SDK or Boto3 in Python for regular audits of Kinesis stream configurations.

4. Document and Train:

  • Update internal policies to mandate the use of CMKs for Kinesis data-at-rest encryption.
  • Educate technical teams on the importance and processes of implementing CMK encryption in AWS Kinesis.

By adhering to these steps, you ensure that your AWS Kinesis data streams are encrypted using Customer Master Keys, providing enhanced control, security, and compliance.

Updated 5 months ago