Kinesis streams should be encrypted at rest

Identifier

kinesis-enable-server-side-encryption

Category

Protect > Data protection > Encryption of data at rest

Description

This control checks whether Amazon Kinesis Data Streams are encrypted at rest using AWS Key Management Service (KMS). Encryption ensures the data records in the stream are protected while stored. This is verified by checking that the encryption_type is set to KMS and a valid kms_key_id is configured in the Terraform configuration for the aws_kinesis_stream resource.

Non Compliant Example

resource "aws_kinesis_stream" "foo" {
  name        = "foo"
  shard_count = 1
}

Remediation

To remediate this issue, enable server-side encryption by setting encryption_type = "KMS" and specifying a valid KMS key in kms_key_id:

resource "aws_kinesis_stream" "foo" {
  name              = "foo"
  encryption_type   = "KMS"
  kms_key_id        = kms_key_id
  shard_count       = 1
}

Extra Resources

• https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-1
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream
• https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html