Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Kinesis Stream Encrypted With CMK

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Kinesis-002

Ensure that your Amazon Kinesis data streams are using KMS Customer Master Keys (CMKs) instead of AWS managed keys (default keys used by Amazon Kinesis when there are no customer master keys defined) in order to have a more granular control over the data stream encryption/decryption process. A Kinesis data stream is an ordered sequence of data records collected within a dedicated storage layer.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you define and use your own Amazon KMS Customer Master Keys (CMKs) to protect your Kinesis data streams, you gain full control over who can use these keys to access your Amazon Kinesis data. The Amazon KMS service allows you to create, rotate, disable, and audit CMKs for your Amazon MSK clusters.


Audit

To determine the type of the KMS key used for Kinesis data stream encryption, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Kinesis console at https://console.aws.amazon.com/kinesis/.

03 In the main navigation panel, under Dashboard, choose Data streams.

04 Click on the name (link) of the Kinesis data stream that you want to examine.

05 Select the Configuration tab from the console bottom panel and check the Server-side encryption attribute status available in the Encryption section. If the attribute status is set to Disabled, Server-Side Encryption (SSE) is not enabled for the selected data stream, therefore you can follow the instructions available here to enable SSE. If Server-Side Encryption (SSE) is enabled, check the Customer master key (CMK) in KMS attribute value. If the Customer master key (CMK) in KMS value is set to alias/aws/kinesis, the data managed by the selected Amazon Kinesis data stream is encrypted using the default master key (AWS-managed key) instead of a KMS Customer Master Key (CMK).

06 Repeat steps no. 4 and 5 for each Amazon Kinesis data stream available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-streams command (OSX/Linux/UNIX) to list the name of each Kinesis data stream available in the selected AWS cloud region:

aws kinesis list-streams
  --region us-east-1
  --query 'StreamNames'

02 The command output should return an array with the requested data stream names:

[
    "cc-client-data-stream",
    "iot-kinesis-stream"
]

03 Run describe-stream command (OSX/Linux/UNIX) using the name of the Kinesis data stream that you want to examine as the identifier parameter and custom query filters to describe the identifier (ID) of the encryption key configured for the selected data stream:

aws kinesis describe-stream
  --region us-east-1
  --stream-name cc-client-data-stream
  --query 'StreamDescription.KeyId'

04 The command output should return the ID of the master key used to encrypt the data stream:

"alias/aws/kinesis"

If the describe-stream command output returns null, Server-Side Encryption (SSE) is not enabled for the selected data stream, therefore you can follow the instructions available here to enable SSE. If the command output returns "alias/aws/kinesis", i.e. the ID of the default master key, the data managed by the selected Amazon Kinesis data stream is encrypted using the default master key (AWS-managed key) instead of a KMS Customer Master Key (CMK).

05 Repeat steps no. 3 and 4 for each Amazon Kinesis data stream available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To use your own Amazon KMS Customer Master Keys (CMKs) to encrypt Amazon Kinesis data stream, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Encryption at Rest using Customer-Managed Customer Master Keys (CMKs)",
  "Resources": {
      "KinesisDataStream": {
          "Type" : "AWS::Kinesis::Stream",
          "Properties" : {
              "Name" : "cc-client-data-stream",
              "RetentionPeriodHours" : 48,
              "ShardCount" : 2,
              "StreamEncryption" : {
                  "EncryptionType" : "KMS",
                  "KeyId" : "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
              },
              "Tags" : [{
                  "Key" : "Environment",
                  "Value" : "Production"
              }]
          }
      }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Encryption at Rest using Customer-Managed Customer Master Keys
  (CMKs)
Resources:
  KinesisDataStream:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: cc-client-data-stream
      RetentionPeriodHours: 48
      ShardCount: 2
      StreamEncryption:
        EncryptionType: KMS
        KeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
      Tags:
        - Key: Environment
          Value: Production

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_kinesis_stream" "kinesis-data-stream" {
  name             = "cc-client-data-stream"
  shard_count      = 2
  retention_period = 48

  # Enable Encryption at Rest using Customer-Managed Customer Master Keys (CMKs)
  encryption_type = "KMS"
  kms_key_id      = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

  stream_mode_details {
    stream_mode = "PROVISIONED"
  }

  tags = {
    Environment = "Production"
  }
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.

04 Choose the Create Key button from the console top menu to initiate the CMK setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
  2. Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
  3. Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
  4. Choose Next to continue.

06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – optional box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.

07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.

08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your Kinesis data streams. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.

09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

10 Navigate to Amazon Kinesis console at https://console.aws.amazon.com/kinesis/.

11 In the main navigation panel, under Dashboard, choose Data streams.

12 Click on the name (link) of the Kinesis data stream that you want to reconfigure.

13 Select the Configuration tab from the console bottom panel and choose Edit from the Encryption section to modify the encryption configuration settings available for the selected data stream.

14 On the Edit encryption for <data-stream-name> page, ensure that Enable server-side encryption checkbox is selected, choose Use customer-managed CMK, and select the newly created Amazon KMS Customer Master Key (CMK) from the Choose customer-managed CMK dropdown list. Choose Save changes to apply the configuration changes.

15 Repeat steps no. 12 – 14 to enable Server-Side Encryption with customer-managed Customer Master Keys for other Amazon Kinesis data streams available within the current AWS region.

16 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your Kinesis data streams using the KMS API. Create a new policy document (JSON format), name the file kinesis-stream-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "protected-cmk-policy",
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      },
      {
          "Sid": "Allow access for Key Administrators",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:Create*",
              "kms:Describe*",
              "kms:Enable*",
              "kms:List*",
              "kms:Put*",
              "kms:Update*",
              "kms:Revoke*",
              "kms:Disable*",
              "kms:Get*",
              "kms:Delete*",
              "kms:TagResource",
              "kms:UntagResource",
              "kms:ScheduleKeyDeletion",
              "kms:CancelKeyDeletion"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey*",
              "kms:DescribeKey"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {
              "Bool": {
                  "kms:GrantIsForAWSResource": "true"
              }
          }
      }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. kinesis-stream-cmk-policy.json) as value for the --policy parameter, to create your new, customer-managed Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Customer Master Key for Kinesis Data Stream Encryption'
  --policy file://kinesis-stream-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/KinesisStreamCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

05 Run start-stream-encryption command (OSX/Linux/UNIX) using the name of the Amazon Kinesis data stream that you want to reconfigure as the identifier parameter, to enable Server-Side Encryption (SSE) for the selected data stream using the customer-managed Customer Master Key (CMK) created in the previous steps (the command does not produce an output). The following command example enables Server-Side Encryption for a Kinesis data stream named "cc-client-data-stream" using a customer-provided CMK identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234":

aws kinesis start-stream-encryption
  --region us-east-1
  --stream-name cc-client-data-stream
  --encryption-type KMS
  --key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

06 Repeat step no. 5 to enable Server-Side Encryption with customer-managed Customer Master Keys for other Amazon Kinesis data streams available in the selected AWS region

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jul 19, 2017