Ensure that your Amazon Kinesis data streams are using KMS Customer Master Keys (CMKs) instead of AWS managed keys (default keys used by Amazon Kinesis when there are no customer master keys defined) in order to have a more granular control over the data stream encryption/decryption process. A Kinesis data stream is an ordered sequence of data records collected within a dedicated storage layer.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you define and use your own Amazon KMS Customer Master Keys (CMKs) to protect your Kinesis data streams, you gain full control over who can use these keys to access your Amazon Kinesis data. The Amazon KMS service allows you to create, rotate, disable, and audit CMKs for your Amazon MSK clusters.
Audit
To determine the type of the KMS key used for Kinesis data stream encryption, perform the following actions:
Remediation / Resolution
To use your own Amazon KMS Customer Master Keys (CMKs) to encrypt Amazon Kinesis data stream, perform the following actions:
References
- AWS Documentation
- Amazon Kinesis Documentation
- What Is Server-Side Encryption for Kinesis Data Streams?
- How Do I Get Started with Server-Side Encryption?
- Creating and Using User-Generated KMS Master Keys
- AWS KMS concepts
- AWS Command Line Interface (CLI) Documentation
- kinesis
- list-streams
- describe-stream
- start-stream-encryption
- kms
- describe-key
- create-key
- create-alias
- CloudFormation Documentation
- AWS::Kinesis::Stream
- Terraform Documentation
- AWS Provider
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Kinesis Stream Encrypted With CMK
Risk Level: High