Kinesis Server Side Encryption

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Kinesis console at https://console.aws.amazon.com/kinesis/.

03 In the main navigation panel, under Dashboard, choose Data streams.

04 Click on the name (link) of the Kinesis data stream that you want to examine.

05 Select the Configuration tab from the console bottom panel and check the Server-side encryption feature status available in the Encryption section. If the feature status is set to Disabled, Server-Side Encryption (SSE) is not enabled for the selected Amazon Kinesis data stream.

06 Repeat steps no. 4 and 5 for each Amazon Kinesis data stream available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

01 Run list-streams command (OSX/Linux/UNIX) to list the name of each Kinesis data stream available in the selected AWS cloud region:

aws kinesis list-streams
  --region us-east-1
  --query 'StreamNames'

02 The command output should return an array with the requested data stream names:

[
    "cc-client-data-stream",
    "iot-kinesis-stream"
]

03 Run describe-stream command (OSX/Linux/UNIX) using the name of the Kinesis data stream that you want to examine as the identifier parameter and custom query filters to describe the encryption type configured for the selected data stream:

aws kinesis describe-stream
  --region us-east-1
  --stream-name cc-client-data-stream
  --query 'StreamDescription.EncryptionType'

04 The command output should return the encryption type used to encrypt the data stream:

"NONE"

05 Repeat steps no. 3 and 4 for each Amazon Kinesis data stream available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Server-Side Encryption (SSE) for Kinesis Data Streams",
  "Resources": {
      "KinesisDataStream": {
          "Type" : "AWS::Kinesis::Stream",
          "Properties" : {
              "Name" : "cc-client-data-stream",
              "RetentionPeriodHours" : 168,
              "ShardCount" : 3,
              "StreamEncryption" : {
                  "EncryptionType" : "KMS",
                  "KeyId" : "alias/aws/kinesis"
              },
              "Tags" : [{
                  "Key" : "Environment",
                  "Value" : "Production"
              }]
          }
      }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Server-Side Encryption (SSE) for Kinesis Data Streams
Resources:
  KinesisDataStream:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: cc-client-data-stream
      RetentionPeriodHours: 168
      ShardCount: 3
      StreamEncryption:
        EncryptionType: KMS
        KeyId: alias/aws/kinesis
      Tags:
        - Key: Environment
          Value: Production

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_kinesis_stream" "kinesis-data-stream" {
  name             = "cc-client-data-stream"
  shard_count      = 3
  retention_period = 168

  # Enable Server-Side Encryption (SSE) for Kinesis Data Streams
  encryption_type = "KMS"
  kms_key_id      = "alias/aws/kinesis"

  stream_mode_details {
    stream_mode = "PROVISIONED"
  }

  tags = {
    Environment = "Production"
  }
}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Kinesis console at https://console.aws.amazon.com/kinesis/.

03 In the main navigation panel, under Dashboard, choose Data streams.

04 Click on the name (link) of the Kinesis data stream that you want to reconfigure.

05 Select the Configuration tab from the console bottom panel and choose Edit from the Encryption section to modify the encryption configuration settings available for the selected data stream.

06 On the Edit encryption for <data-stream-name> page, select the Enable server-side encryption checkbox to enable Server-Side Encryption (SSE) for the selected Amazon Kinesis data stream. Choose either to use an AWS-managed key (default master key generated by Amazon Kinesis) or a customer-managed key (customer-provided CMK) for your Kinesis data stream encryption. Choose Save changes to apply the changes. Once the data stream returns to the Active state, the Server-Side Encryption is enabled, hence all the incoming data written to the stream becomes encrypted.

07 Repeat steps no. 4 – 6 to enable Server-Side Encryption for other Amazon Kinesis data streams available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

01 Run start-stream-encryption command (OSX/Linux/UNIX) using the name of the Amazon Kinesis data stream that you want to reconfigure as the identifier parameter, to enable Server-Side Encryption (SSE) using the AWS-managed key for the specified data stream (the command does not produce an output). The following command example enables Server-Side Encryption for a Kinesis data stream named "cc-client-data-stream" using the default master key created for the Amazon Kinesis service (i.e. "alias/aws/kinesis"):

aws kinesis start-stream-encryption
  --region us-east-1
  --stream-name cc-client-data-stream
  --encryption-type KMS
  --key-id alias/aws/kinesis

02 Repeat step no. 1 to enable Server-Side Encryption for other Amazon Kinesis data streams available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.