Kinesis is not encrypted with KMS
ID |
aws_kinesis_not_encrypted |
Severity |
high |
Vendor |
AWS |
Resource |
Encryption |
Tags |
reachable |
Description
Kinesis is not encrypted with KMS. Server-side encryption is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it’s at rest by using an AWS KMS customer master key (CMK) you specify. Data is encrypted before it’s written to the Kinesis stream storage layer, and decrypted after it’s retrieved from storage. As a result, your data is encrypted at rest within the Kinesis Data Streams service. This allows you to meet strict regulatory requirements and enhance the security of your data.
With server-side encryption, your Kinesis stream producers and consumers don’t need to manage master keys or cryptographic operations. Your data is automatically encrypted as it enters and leaves the Kinesis Data Streams service, so your data at rest is encrypted. AWS KMS provides all the master keys that are used by the server-side encryption feature. AWS KMS makes it easy to use a CMK for Kinesis that is managed by AWS, a user-specified AWS KMS CMK, or a master key imported into the AWS KMS service.
To fix it, you must configure encryption_state=enabled and encryption_type=KMS (default value).
Learn more about this topic at AWS Kinesis data stream.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Encrypt Kinesis Stream test-stream.
community.aws.kinesis_stream:
name: test-stream
state: present
shards: 1
encryption_state: enabled
encryption_type: NONE
key_id: alias/aws/kinesis
wait: true
wait_timeout: 600
register: test_streamMitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: Encrypt Kinesis Stream test-stream.
community.aws.kinesis_stream:
name: test-stream
state: present
shards: 1
encryption_state: enabled
encryption_type: KMS
key_id: alias/aws/kinesis
wait: true
wait_timeout: 600
register: test_stream