Kinesis Stream Encrypted With CMK
More Info:
Ensure Amazon Kinesis streams are utilizing KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default encryption keys created by Amazon for Kinesis service) in order to have more granular control over your data streams encryption/decryption process. Kinesis is an AWS streaming data service that provides you with the ability to build and manage your own streaming data applications for specialized needs. An AWS Kinesis stream is an ordered sequence of data records collected within a dedicated storage layer.Risk Level
HighAddress
Cost optimization, Operational Maturity, SecurityCompliance Standards
ISO27001, HIPAATriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of a Kinesis Stream encrypted with a Customer Master Key (CMK) for AWS DynamoDB using the AWS Management Console, follow these steps:
- Access the AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com.
- Navigate to DynamoDB Service: Click on the “Services” dropdown menu at the top left corner of the console. Under the “Database” section, click on “DynamoDB” to open the DynamoDB dashboard.
- Select the DynamoDB Table: In the DynamoDB dashboard, locate and click on the table that you want to remediate the encryption settings for.
-
Edit Table Encryption Settings:
- Click on the “Overview” tab to view the details of the selected DynamoDB table.
- In the “Overview” tab, click on the “Manage” button next to the “Encryption” section.
-
Update Encryption Settings:
- In the “Encryption” settings page, locate the “Encryption Type” section.
- Click on the “Edit” button to modify the encryption settings for the DynamoDB table.
-
Select Encryption Type:
- In the “Edit encryption” dialog box, choose the desired encryption type. To remediate the misconfiguration of Kinesis Stream encryption with CMK, select “AWS managed key (AWS KMS)”.
-
Choose AWS Managed Key (KMS):
- Select the appropriate AWS managed key (KMS) from the dropdown list. Ensure that you choose the key that aligns with your security and compliance requirements.
-
Save Changes:
- After selecting the AWS managed key (KMS), click on the “Save” button to apply the encryption settings changes to the DynamoDB table.
-
Verify Encryption Settings:
- Once the changes are saved, verify that the encryption settings have been successfully updated to use the AWS managed key (KMS) instead of the Kinesis Stream encryption.
Using CLI
Using CLI
To remediate the misconfiguration of a Kinesis Stream encrypted with a Customer Managed Key (CMK) for AWS DynamoDB using AWS CLI, you can follow these steps:
- Identify the DynamoDB Table: First, identify the DynamoDB table that is using the Kinesis Stream encrypted with CMK.
- Disable Encryption with CMK for Kinesis Stream: To remediate this misconfiguration, you will need to disable encryption with CMK for the Kinesis Stream associated with the DynamoDB table. You can achieve this by updating the Kinesis Stream settings.
-
Update Kinesis Stream Encryption Settings:
-
Open the AWS CLI and run the following command to update the encryption settings of the Kinesis Stream associated with the DynamoDB table:
Replace
YOUR_STREAM_NAMEwith the actual name of the Kinesis Stream associated with the DynamoDB table.
-
Open the AWS CLI and run the following command to update the encryption settings of the Kinesis Stream associated with the DynamoDB table:
-
Verify Encryption Settings: Once you have updated the encryption settings for the Kinesis Stream, verify that the encryption type is set to
NONEto ensure that the Kinesis Stream is no longer encrypted with a CMK. - Monitor DynamoDB Table: Monitor the DynamoDB table to ensure that there are no issues or disruptions after making this change.
NONE, you can remediate the misconfiguration of a Kinesis Stream encrypted with a CMK for AWS DynamoDB.Using Python
Using Python
To remediate the misconfiguration of a Kinesis Stream not being encrypted with a Customer Managed Key (CMK) in AWS, we need to create a new Kinesis Stream with encryption enabled using a CMK. Here are the step-by-step instructions on how to remediate this issue for AWS DynamoDB using Python:By following these steps and running the Python script, you can remediate the misconfiguration of a Kinesis Stream not being encrypted with a CMK in AWS DynamoDB.
- Import the necessary Python libraries:
- Create a new Kinesis Stream with encryption enabled:
- Replace the
stream_nameandcmk_arnvariables with your desired values:
- Call the
remediate_kinesis_stream_encryptionfunction with the appropriate parameters:
- Run the Python script to create the new Kinesis Stream with encryption enabled using a CMK: