> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Kinesis Server Side Encryption

### More Info:

Ensure that your AWS Kinesis streams are encrypted using Server-Side Encryption (SSE) in order to meet strict regulatory requirements and improve the security of your data at rest. Kinesis is a platform for streaming data on Amazon Web Services that provides you with the ability to build and manage your own custom streaming data applications for specialized needs. A Kinesis stream is an ordered sequence of data records collected within a dedicated storage layer. With SSE your sensitive data is encrypted before this is written to the Kinesis stream storage layer and decrypted after it’s retrieved from storage.

### Risk Level

High

### Address

Cost optimization, Operational Maturity, Security

### Compliance Standards

HIPAA, ISO27001

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration related to Kinesis Server Side Encryption for Kinesis using AWS console, follow these steps:

        1. **Navigate to Kinesis Console:**
           * Open the AWS Management Console and navigate to the Kinesis service.

        2. **Select the Stream:**
           * From the list of Streams, select the Stream for which you want to enable encryption.

        3. **Enable Server-Side Encryption:**
           * In the Stream details page, locate the Configuration section for Server-Side Encryption.
           * Under "Server-side encryption", click "Edit" to change the encryption settings.
           * Enable "Server-side encryption"

        4. **Choose Encryption Type:**
           * Select the option for Kinesis Server-Side Encryption. AWS managed key (aws/kinesis) or Customer managed key (specify your KMS key ARN)
           * You may need to provide additional details such as KMS Key ARN for encryption.

        5. **Save Changes:**
           * After configuring the encryption settings, save the changes by clicking on the 'Save' or 'Update' button.

        6. **Verify Encryption Status:**
           * Once the changes are saved, verify that the Server-Side Encryption is enabled for the Kinesis Data Stream.

        By following these steps, you can remediate the misconfiguration related to Kinesis Server Side Encryption for Kinesis using the AWS Management Console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration of Kinesis Server-Side Encryption for Kinesis using AWS CLI, you can follow these steps:

        1. **Check the current encryption status**: Run the following AWS CLI command to check the current encryption status of your Kinesis Data Stream:

           ```bash theme={null}
           aws kinesis describe-stream --stream-name STREAM_NAME
           ```

           This command will return information about the specified Kinesis Data Stream, including the encryption settings.

        2. **Enable Server-Side Encryption**: If the encryption is not enabled, you can enable Server-Side Encryption for the Kinesis Data Stream using the following AWS CLI command:

           ```bash theme={null}
            aws kinesis start-stream-encryption \
            --stream-name YOUR_STREAM_NAME \
            --encryption-type KMS \
            --key-id alias/aws/kinesis
           ```

           Using Customer Managed Key:

           ```bash theme={null}
           aws kinesis start-stream-encryption \
           --stream-name YOUR_STREAM_NAME \
           --encryption-type KMS \
           --key-id arn:aws:kms:REGION:ACCOUNT-ID:key/KEY-ID
           ```

           Replace `YOUR_STREAM_NAME` with the actual name of your Kinesis Data Stream. This command will enable Server-Side Encryption for the specified Kinesis Data Stream.

        3. **Verify Encryption**: After enabling Server-Side Encryption, you can verify the encryption status by running the `describe-table` command again:

           ```bash theme={null}
           aws kinesis describe-stream --stream-name STREAM_NAME
           ```

           Ensure that the `SSEDescription` section in the output confirms that Server-Side Encryption is enabled for the Kinesis Data Stream.

        By following these steps and using the AWS CLI commands provided, you can remediate the misconfiguration of Kinesis Server-Side Encryption for Kinesis.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of not having Kinesis Server Side Encryption enabled for Kinesis using Python, follow these steps:

        1. Import the necessary Python libraries:

        ```python theme={null}
        import boto3
        ```

        2. Initialize the Kinesis client:

        ```python theme={null}
        kinesis_client = boto3.client('kinesis')
        ```

        3. Enable server-side encryption for the Kinesis Data Stream using the `start_stream_encryption` method:

        ```python theme={null}
        stream_name = 'YOUR_STREAM_NAME'

        response = kinesis_client.start_stream_encryption(
            StreamName=stream_name,
            EncryptionType='KMS',
            KeyId=key_id
        )
        ```

        Replace `'YOUR_STREAM_NAME'` with the actual name of your Kinesis Data Stream.

        4. Verify that server-side encryption with KMS is enabled for the Kinesis Data Stream:

        ```python theme={null}
        response = kinesis_client.describe_stream(StreamName=stream_name)
        encryption_type = response['StreamDescription'].get('EncryptionType', 'NONE')
        key_id = response['StreamDescription'].get('KeyId', 'N/A')

        print(f"Stream: {stream_name}")
        print(f"Encryption Type: {encryption_type}")
        print(f"Key ID: {key_id}")
        ```

        5. Run the Python script to apply the changes and verify that server-side encryption with KMS is enabled for the Kinesis Data Stream.

        By following these steps, you can remediate the misconfiguration of not having Kinesis Server Side Encryption enabled for Kinesis using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)
