Kinesis Server Side Encryption
More Info:
Ensure that your AWS Kinesis streams are encrypted using Server-Side Encryption (SSE) in order to meet strict regulatory requirements and improve the security of your data at rest. Kinesis is a platform for streaming data on Amazon Web Services that provides you with the ability to build and manage your own custom streaming data applications for specialized needs. A Kinesis stream is an ordered sequence of data records collected within a dedicated storage layer. With SSE your sensitive data is encrypted before this is written to the Kinesis stream storage layer and decrypted after it’s retrieved from storage.Risk Level
HighAddress
Cost optimization, Operational Maturity, SecurityCompliance Standards
HIPAA, ISO27001Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration related to Kinesis Server Side Encryption for Kinesis using AWS console, follow these steps:
-
Navigate to Kinesis Console:
- Open the AWS Management Console and navigate to the Kinesis service.
-
Select the Stream:
- From the list of Streams, select the Stream for which you want to enable encryption.
-
Enable Server-Side Encryption:
- In the Stream details page, locate the Configuration section for Server-Side Encryption.
- Under “Server-side encryption”, click “Edit” to change the encryption settings.
- Enable “Server-side encryption”
-
Choose Encryption Type:
- Select the option for Kinesis Server-Side Encryption. AWS managed key (aws/kinesis) or Customer managed key (specify your KMS key ARN)
- You may need to provide additional details such as KMS Key ARN for encryption.
-
Save Changes:
- After configuring the encryption settings, save the changes by clicking on the ‘Save’ or ‘Update’ button.
-
Verify Encryption Status:
- Once the changes are saved, verify that the Server-Side Encryption is enabled for the Kinesis Data Stream.
Using CLI
Using CLI
To remediate the misconfiguration of Kinesis Server-Side Encryption for Kinesis using AWS CLI, you can follow these steps:
-
Check the current encryption status: Run the following AWS CLI command to check the current encryption status of your Kinesis Data Stream:
This command will return information about the specified Kinesis Data Stream, including the encryption settings.
-
Enable Server-Side Encryption: If the encryption is not enabled, you can enable Server-Side Encryption for the Kinesis Data Stream using the following AWS CLI command:
Using Customer Managed Key:Replace
YOUR_STREAM_NAMEwith the actual name of your Kinesis Data Stream. This command will enable Server-Side Encryption for the specified Kinesis Data Stream. -
Verify Encryption: After enabling Server-Side Encryption, you can verify the encryption status by running the
describe-tablecommand again:Ensure that theSSEDescriptionsection in the output confirms that Server-Side Encryption is enabled for the Kinesis Data Stream.
Using Python
Using Python
To remediate the misconfiguration of not having Kinesis Server Side Encryption enabled for Kinesis using Python, follow these steps:Replace
- Import the necessary Python libraries:
- Initialize the Kinesis client:
- Enable server-side encryption for the Kinesis Data Stream using the
start_stream_encryptionmethod:
'YOUR_STREAM_NAME' with the actual name of your Kinesis Data Stream.- Verify that server-side encryption with KMS is enabled for the Kinesis Data Stream:
- Run the Python script to apply the changes and verify that server-side encryption with KMS is enabled for the Kinesis Data Stream.