Open menu
-->

AWS Kinesis Streams Encrypted With KMS Customer Master Keys

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure Amazon Kinesis streams are utilizing KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default encryption keys created by Amazon for Kinesis service) in order to have more granular control over your data streams encryption/decryption process. Kinesis is an AWS streaming data service that provides you with the ability to build and manage your own streaming data applications for specialized needs. An AWS Kinesis stream is an ordered sequence of data records collected within a dedicated storage layer.

When you use your own AWS KMS CMK customer-managed keys to encrypt your Amazon Kinesis streams data, you obtain full control over who can use the CMK keys to access this data. The AWS KMS service allows you to create, rotate, disable, enable, and audit the Customer Master Keys (CMKs) applied to your Kinesis streams.

Audit

To determine if KMS CMK customer-managed keys are used to encrypt your AWS Kinesis streams data as opposed to default keys, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Kinesis dashboard at https://console.aws.amazon.com/kinesis/.

03 In the navigation panel, under Amazon Kinesis, choose Streams.

04 Select the Kinesis stream that you want to examine, click the Actions dropdown button and select Details to access the stream configuration details.

05 Make sure that the Server-side encryption feature status is set to Enabled (otherwise see this rule to enable encryption), then check the encryption key name set for the KMS master key configuration attribute. If the encryption key name (alias) is "(Default) aws/kinesis", the data managed by the selected AWS Kinesis stream is encrypted using the default master key (AWS-managed key) instead of a KMS CMK customer-managed key.

06 Repeat step no. 4 and 5 to check the encryption key type for other Kinesis streams available within the current AWS region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-streams command (OSX/Linux/UNIX) to list the names of all Kinesis streams available within the selected AWS region:

aws kinesis list-streams
	--region us-east-1
	--query 'StreamNames'

02 The command output should return the requested Kinesis stream names:

[
    "iot-kinesis-stream",
    "customer-data-stream"
]

03 Run describe-stream command (OSX/Linux/UNIX) using the stream name returned at the previous step as identifier and custom query filters to expose the ID of the KMS encryption key used to encrypt the data within the selected Kinesis stream:

aws kinesis describe-stream
	--region us-east-1
	--stream-name iot-kinesis-stream
	--query 'StreamDescription.KeyId'

04 The command output should return the requested key ID:

ca66e79f-3197-4f6f-a92c-c8af25c44378

05 Run list-aliases command (OSX/Linux/UNIX) to list the aliases for the KMS keys available within your AWS account:

aws kms list-aliases
	--region us-east-1

06 The command output should return the requested key aliases (names) and their metadata:

{
  "Aliases": [
    {
        "AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/ebs",
        "AliasName": "alias/aws/ebs",
        "TargetKeyId": "4243fccd-25df-4545-bc32-765cabd54645"
    },
    {
        "AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/kinesis",
        "AliasName": "alias/aws/kinesis",
        "TargetKeyId": "ca66e79f-3197-4f6f-a92c-c8af25c44378"
    },
    {
        "AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/lambda",
        "AliasName": "alias/aws/lambda",
        "TargetKeyId": "5443f870-149d-44fa-b788-aca36c273432"
    },
    {
        "AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/rds",
        "AliasName": "alias/aws/rds",
        "TargetKeyId": "3f450295-49d8-4491-8162-03150b9dc681"
    }
  ]
}

07 Verify the TargetKeyId attributes value for the key ID returned at the step no. 4 to identify the KMS key used for encryption. If the AliasName attribute value for the AWS KMS key found is "alias/aws/kinesis", the selected AWS Kinesis stream data is encrypted using the default master key (AWS-managed key) instead of a KMS CMK customer-managed key.

08 Repeat steps no. 3 – 7 to check the encryption key type for other Kinesis streams available within the current AWS region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the entire process for other regions.

Remediation / Resolution

To use your own AWS KMS CMK customer-managed keys to encrypt Amazon Kinesis streams data, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your Lambda function is provisioned).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt Kinesis data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the Amazon Kinesis streaming data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: <the CMK display name>”.

12 Once the necessary KMS CMK customer-managed key has been provisioned, navigate to Kinesis dashboard at https://console.aws.amazon.com/kinesis/.

13 In the navigation panel, under Amazon Kinesis, choose Streams.

14 Select the Kinesis stream that you want to reconfigure (see Audit section part I to identify the right resource), click the Actions dropdown button and select Details to open its configuration page.

15 Select the Details tab from the top panel, locate the Server-side encryption section and click the Edit button next to it:

Edit button

16 Choose the name of the newly created KMS CMK customer-managed key from the KMS master key dropdown list to apply your custom CMK key.

17 Click Save to apply the configuration changes. Once the request is made, a pop-up message will be displayed: "Enabling server-side encryption. This will take up to 20 seconds.". The selected stream transition through a "pending" state. Once the stream returns to the "active" state with Server-Side Encryption enabled, all incoming data written to the stream is encrypted using the KMS CMK customer-managed key that you selected.

18 Repeat steps no. 14 – 17 to encrypt the data for other Amazon Kinesis streams available in the current AWS region, using your own KMS CMK customer-managed key.

19 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Before creating your KMS CMK key, you must define a policy that enables your selected IAM users and/or roles to administer the new KMS customer-managed key and to encrypt/decrypt Kinesis streaming data using the AWS KMS API. Create a new policy document called kinesis-stream-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": " kinesis-stream-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK key manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonKinesisManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/KinesisAdministrator"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/KinesisAdministrator"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. kinesis-stream-kms-cmk-policy.json) as required command parameter to create the new KMS CMK customer-managed key:

aws kms create-key
	--region us-east-1
	--description 'KMS CMK key for encrypting Amazon Kinesis streams data'
	--policy file://kinesis-stream-kms-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the CMK unique ID (KeyID parameter value - highlighted) as this ID will be required later when you need to specify the CMK key required for encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "ca5x029b-e12c-7dad-1e23-e8040c125by8",
        "Description": "KMS CMK key for encrypting Amazon Kinesis streams data",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1500397453.314,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/ca5x029b-e12c-7dad-1e23-e8040c125by8",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias (identifier/name) to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias KinesisCustomerManagedKey
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/ca5x029b-e12c-7dad-1e23-e8040c125by8

05 Run start-stream-encryption command (OSX/Linux/UNIX) using the name of the stream that you want to reconfigure (see Audit section part II to identify the right Kinesis resource) and the KMS key ID returned at step no. 3 to apply the newly created Amazon KMS CMK key to the selected stream configuration (the command does not produce an output):

aws kinesis start-stream-encryption
	--region us-east-1
	--stream-name iot-kinesis-stream
	--encryption-type KMS
	--key-id ca5x029b-e12c-7dad-1e23-e8040c125by8

06 Repeat step no. 5 to encrypt the data for other Amazon Kinesis streams available in the current AWS region, using your new KMS CMK customer-managed key.

07 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Jul 19, 2017