Ensure Kinesis Stream is securely encrypted

ID

kinesis_stream_encrypted_cmk

Severity

high

Vendor

AWS

Resource

Kinesis

Tags

reachable

Description

Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data.

Kinesis supports server-side data encryption if the data stream contains sensitive information. When sending data from a producer to a data stream Kinesis encrypts the data using an AWS KMS key before storing the data at rest.

It’s recommended to use Kinesis streams encrypted using server-side encryption CMK keys. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Examples

CloudFormation

{
  "Resources": {
    "MyKinesisStream": { (1)
      "Type": "AWS::Kinesis::Stream",
      "Properties": {
        "Name": "MyKinesisStream",
        "RetentionPeriodHours": 168,
        "ShardCount": 3
      }
    }
  }
}
1 Missing StreamEncryption/EncryptionType property means that encryption is performed using Amazon managed encryption keys. 
Resources:
  KMSEncryption: (1)
    Type: AWS::Kinesis::Stream
    Properties:
      Name: MyKinesisStream
      RetentionPeriodHours: 168
      ShardCount: 3
1 Missing StreamEncryption/EncryptionType property means that encryption is performed using Amazon managed encryption keys.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MyKinesisStream": {
      "Type": "AWS::Kinesis::Stream",
      "Properties": {
        "Name": "MyKinesisStream",
        "RetentionPeriodHours": 168,
        "ShardCount": 3,
        "StreamEncryption": {
          "EncryptionType": "KMS", (1)
          "KeyId": "myKey"
        }
      }
    }
  }
}
1 EncryptionType set to KMS means that encryption is performed using a CMK key. 
Resources:
  KMSEncryption:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: MyKinesisStream
      RetentionPeriodHours: 168
      ShardCount: 3
      StreamEncryption:
        EncryptionType: KMS (1)
        KeyId: myKey
1 EncryptionType set to KMS means that encryption is performed using a CMK key.

Runtime

AWS Console

To change the policy go to the Amazon Management Console:

  • Open the AWS EFS Console.

  • Select Services and search for Kinesis.

  • Select Data Firehose from the left navigation panel.

  • Select the Firehose Delivery System that needs to be verified and click on the Name to access the delivery stream.

  • Select the Details tab and scroll down to Amazon S3 destination. Check the Encryption value and if it’s set to Disabled then the selected Firehose Delivery System data is not encrypted.

  • To enable the Encryption click on the Name to access the delivery stream. Under the Details tab, click Edit to make the changes in Amazon S3 destination.

  • Click Enable next to the S3 encryption to enable the encryption.

  • Select the KMS master key from the dropdown list. Select the KMS key or an AWS KMS Customer Master Key (CMK).

  • Click Save.

CLI Command

aws kinesis start-stream-encryption --encryption-type KMS --key-id <kms-key-id> --stream-name <stream-name>