Logo of Trend Micro

Kinesis Server Side Encryption

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: Kinesis-001

Ensure that your AWS Kinesis streams are encrypted using Server-Side Encryption (SSE) in order to meet strict regulatory requirements and improve the security of your data at rest. Kinesis is a platform for streaming data on Amazon Web Services that provides you with the ability to build and manage your own custom streaming data applications for specialized needs. A Kinesis stream is an ordered sequence of data records collected within a dedicated storage layer. With SSE your sensitive data is encrypted before this is written to the Kinesis stream storage layer and decrypted after it’s retrieved from storage.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Server-Side Encryption (SSE) for Amazon Kinesis streams provides you with an extra layer of security on top of authentication and authorization.

Note: SSE encrypts incoming data only after encryption is enabled. Preexisting data available in an unencrypted stream cannot be encrypted after Server-Side Encryption is enabled.

Audit

To determine if your AWS Kinesis streams have the Server-Side Encryption feature enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Kinesis dashboard at https://console.aws.amazon.com/kinesis/.

03 In the navigation panel, under Amazon Kinesis, choose Streams.

04 Select the Kinesis stream that you want to examine, click the Actions dropdown button and select Details to access the stream configuration details.

05 Choose the Details tab from the top panel and verify the SSE feature status available next to Server-side encryption attribute:

Kinesis server side encryption

If the status is set to Disabled, the selected AWS Kinesis streams does not have the Server-Side Encryption (SSE) feature enabled, therefore the data managed by the Kinesis stream is not encrypted.

06 Repeat step no. 4 and 5 for each Amazon Kinesis stream available in the current AWS region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-streams command (OSX/Linux/UNIX) to list the names of all Kinesis streams available within the selected AWS region - US East (N. Virginia): 

aws kinesis list-streams
	--region us-east-1
	--query 'StreamNames'

02 The command output should return the requested Kinesis stream names: 

[
    "cc-user-data-stream",
    "iot-kinesis-stream",
    "kinesis-sandbox-stream"
]

03 Run describe-stream command (OSX/Linux/UNIX) using the stream name returned at the previous step as identifier and custom query filters to return the encryption type used by the selected Kinesis stream: 

aws kinesis describe-stream
	--region us-east-1
	--stream-name cc-user-data-stream
	--query 'StreamDescription.EncryptionType'

04 The command output should return the encryption type used to encrypt the stream. If the describe-stream command output returns "NONE", the selected AWS Kinesis streams does not have the Server-Side Encryption feature enabled, therefore the records available within the Kinesis stream are not encrypted.

05 Repeat step no. 3 and 4 for each AWS Kinesis stream provisioned within the current AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for your Amazon Kinesis streams, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Kinesis dashboard at https://console.aws.amazon.com/kinesis/.

03 In the navigation panel, under Amazon Kinesis, choose Streams.

04 Select the Kinesis stream that you want to examine, click the Actions dropdown button and select Details to open the stream configuration page.

05 Select the Details tab from the top panel, locate the Server-side encryption section and click the Edit button next to it:

Edit button

06 Select Enabled and choose (Default) aws/kinesis from the KMS master key dropdown menu. This is the default AWS KMS master key generated by the Kinesis service. To gain better security control over who can use the KMS CMK key and access the encrypted data within the stream(s), you can create and manage your own Customer Master Key (CMK) by following the instructions outlined in this conformity rule.

07 Click Save to apply the configuration changes. Once the request is made, a pop-up message will be displayed: "Enabling server-side encryption. This will take up to 20 seconds.". The selected stream transition through a "pending" state. Once the stream returns to the "active" state with Server-Side Encryption enabled, all incoming data written to the stream is encrypted using the AWS KMS master key that you selected.

08 Repeat steps no. 4 – 7 to enable Server-Side Encryption (SSE) for other Amazon Kinesis streams available in the current AWS region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run start-stream-encryption command (OSX/Linux/UNIX) using the name of the stream that you want to encrypt (see Audit section part II to identify the right Kinesis resource) to enable Server-Side Encryption using the default AWS KMS encryption key for the specified stream (the command does not produce an output). You can also implement your own AWS KMS Customer Master Key (CMK) by following the instructions outlined within this conformity rule. The following command example enables Server-Side Encryption for an Amazon Kinesis stream named "cc-user-data-stream" using the default encryption master key created for Kinesis service (AWS-managed key identified by the alias aws/kinesis). The stream status will change to UPDATING. Once the status of the stream is ACTIVE, the records written to the stream will begin to be encrypted: 

aws kinesis start-stream-encryption
	--region us-east-1
	--stream-name cc-user-data-stream
	--encryption-type KMS
	--key-id aws/kinesis

02 Repeat step no. 1 to enable Server-Side Encryption (SSE) for other Amazon Kinesis streams created in the current AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Jul 19, 2017

Related Kinesis rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Kinesis Server Side Encryption

Risk level: High