Kinesis Streams Should Be Encrypted at Rest

Overview

This check verifies that your Amazon Kinesis Data Streams have server-side encryption enabled using AWS KMS keys. Encryption at rest protects data stored within stream shards from unauthorized access.

Risk

Without encryption at rest, data stored in Kinesis streams could be exposed if:

• Storage systems or backups are compromised
• Unauthorized users gain access to underlying infrastructure
• Data exports or snapshots fall into the wrong hands

Enabling KMS encryption also provides audit trails through AWS CloudTrail, helping you track who accessed encryption keys and when.

Remediation Steps

Prerequisites

You need permission to modify Kinesis streams and use KMS keys. Specifically, you need:

• kinesis:StartStreamEncryption permission
• Access to a KMS key (the AWS-managed aws/kinesis key works for most cases)

AWS Console Method

1. Open the Amazon Kinesis console at https://console.aws.amazon.com/kinesis
2. In the left navigation, click Data streams
3. Select the stream you want to encrypt
4. On the Configuration tab, find the Server-side encryption section
5. Click Edit
6. Toggle Enable server-side encryption to On
7. For Encryption type, keep Use AWS managed key selected (this uses the aws/kinesis key)
8. Click Save changes

The stream status will briefly show Updating, then return to Active once encryption is enabled.

AWS CLI (optional)

Enable encryption on an existing stream:

aws kinesis start-stream-encryption \
  --stream-name <your-stream-name> \
  --encryption-type KMS \
  --key-id alias/aws/kinesis \
  --region us-east-1

To use a customer-managed KMS key instead:

aws kinesis start-stream-encryption \
  --stream-name <your-stream-name> \
  --encryption-type KMS \
  --key-id <your-kms-key-id-or-alias> \
  --region us-east-1

Check the encryption status:

aws kinesis describe-stream \
  --stream-name <your-stream-name> \
  --region us-east-1 \
  --query 'StreamDescription.{Name:StreamName,Encryption:EncryptionType,KeyId:KeyId}'

CloudFormation (optional)

Use this template to create a new encrypted Kinesis stream:

AWSTemplateFormatVersion: '2010-09-09'
Description: Kinesis stream with server-side encryption enabled

Parameters:
  StreamName:
    Type: String
    Description: Name of the Kinesis stream
    Default: my-encrypted-stream

  ShardCount:
    Type: Number
    Description: Number of shards for the stream
    Default: 1
    MinValue: 1

Resources:
  EncryptedKinesisStream:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: !Ref StreamName
      ShardCount: !Ref ShardCount
      StreamEncryption:
        EncryptionType: KMS
        KeyId: alias/aws/kinesis

Outputs:
  StreamArn:
    Description: ARN of the encrypted Kinesis stream
    Value: !GetAtt EncryptedKinesisStream.Arn

To use a customer-managed KMS key, replace alias/aws/kinesis with your key ARN or alias.

Terraform (optional)

resource "aws_kinesis_stream" "encrypted_stream" {
  name             = "my-encrypted-stream"
  shard_count      = 1
  encryption_type  = "KMS"
  kms_key_id       = "alias/aws/kinesis"

  tags = {
    Environment = "production"
  }
}

To use a customer-managed KMS key:

resource "aws_kms_key" "kinesis_key" {
  description             = "KMS key for Kinesis stream encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true
}

resource "aws_kms_alias" "kinesis_key_alias" {
  name          = "alias/kinesis-stream-key"
  target_key_id = aws_kms_key.kinesis_key.key_id
}

resource "aws_kinesis_stream" "encrypted_stream" {
  name             = "my-encrypted-stream"
  shard_count      = 1
  encryption_type  = "KMS"
  kms_key_id       = aws_kms_key.kinesis_key.id

  tags = {
    Environment = "production"
  }
}

Verification

After enabling encryption, verify it worked:

1. Go to the Amazon Kinesis console
2. Select your stream
3. On the Configuration tab, confirm Server-side encryption shows Enabled
4. The AWS KMS key field should display the key being used

CLI verification

aws kinesis describe-stream \
  --stream-name <your-stream-name> \
  --region us-east-1 \
  --query 'StreamDescription.EncryptionType'

The output should be "KMS" (not "NONE").

Additional Resources

• AWS Documentation: Data Protection in Amazon Kinesis Data Streams
• AWS Documentation: Using Server-Side Encryption
• AWS KMS Concepts

Notes

• Encryption is one-way: Once enabled, you cannot disable encryption on a Kinesis stream. You can only change the KMS key used.
• Brief update period: Enabling encryption takes a few seconds. The stream remains usable during this time, but records written in the first few seconds may not be encrypted.
• Cost considerations: Using the AWS-managed aws/kinesis key is free. Customer-managed keys incur standard KMS charges.
• Key permissions: Producers and consumers need kms:GenerateDataKey and kms:Decrypt permissions on the KMS key to write and read records.