More Info:

Ensure that your AWS Kinesis streams are encrypted using Server-Side Encryption (SSE) in order to meet strict regulatory requirements and improve the security of your data at rest. Kinesis is a platform for streaming data on Amazon Web Services that provides you with the ability to build and manage your own custom streaming data applications for specialized needs. A Kinesis stream is an ordered sequence of data records collected within a dedicated storage layer. With SSE your sensitive data is encrypted before this is written to the Kinesis stream storage layer and decrypted after it’s retrieved from storage.

Risk Level

High

Address

Cost optimization, Operational Maturity, Security

Compliance Standards

HIPAA, ISO27001

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration related to Kinesis Server Side Encryption for Kinesis using AWS console, follow these steps:
  1. Navigate to Kinesis Console:
    • Open the AWS Management Console and navigate to the Kinesis service.
  2. Select the Stream:
    • From the list of Streams, select the Stream for which you want to enable encryption.
  3. Enable Server-Side Encryption:
    • In the Stream details page, locate the Configuration section for Server-Side Encryption.
    • Under “Server-side encryption”, click “Edit” to change the encryption settings.
    • Enable “Server-side encryption”
  4. Choose Encryption Type:
    • Select the option for Kinesis Server-Side Encryption. AWS managed key (aws/kinesis) or Customer managed key (specify your KMS key ARN)
    • You may need to provide additional details such as KMS Key ARN for encryption.
  5. Save Changes:
    • After configuring the encryption settings, save the changes by clicking on the ‘Save’ or ‘Update’ button.
  6. Verify Encryption Status:
    • Once the changes are saved, verify that the Server-Side Encryption is enabled for the Kinesis Data Stream.
By following these steps, you can remediate the misconfiguration related to Kinesis Server Side Encryption for Kinesis using the AWS Management Console.

To remediate the misconfiguration of Kinesis Server-Side Encryption for Kinesis using AWS CLI, you can follow these steps:
  1. Check the current encryption status: Run the following AWS CLI command to check the current encryption status of your Kinesis Data Stream:
    aws kinesis describe-stream --stream-name STREAM_NAME
    
    This command will return information about the specified Kinesis Data Stream, including the encryption settings.
  2. Enable Server-Side Encryption: If the encryption is not enabled, you can enable Server-Side Encryption for the Kinesis Data Stream using the following AWS CLI command:
     aws kinesis start-stream-encryption \
     --stream-name YOUR_STREAM_NAME \
     --encryption-type KMS \
     --key-id alias/aws/kinesis
    
    Using Customer Managed Key:
    aws kinesis start-stream-encryption \
    --stream-name YOUR_STREAM_NAME \
    --encryption-type KMS \
    --key-id arn:aws:kms:REGION:ACCOUNT-ID:key/KEY-ID
    
    Replace YOUR_STREAM_NAME with the actual name of your Kinesis Data Stream. This command will enable Server-Side Encryption for the specified Kinesis Data Stream.
  3. Verify Encryption: After enabling Server-Side Encryption, you can verify the encryption status by running the describe-table command again:
    aws kinesis describe-stream --stream-name STREAM_NAME
    
    Ensure that the SSEDescription section in the output confirms that Server-Side Encryption is enabled for the Kinesis Data Stream.
By following these steps and using the AWS CLI commands provided, you can remediate the misconfiguration of Kinesis Server-Side Encryption for Kinesis.
To remediate the misconfiguration of not having Kinesis Server Side Encryption enabled for Kinesis using Python, follow these steps:
  1. Import the necessary Python libraries:
import boto3
  1. Initialize the Kinesis client:
kinesis_client = boto3.client('kinesis')
  1. Enable server-side encryption for the Kinesis Data Stream using the start_stream_encryption method:
stream_name = 'YOUR_STREAM_NAME'

response = kinesis_client.start_stream_encryption(
    StreamName=stream_name,
    EncryptionType='KMS',
    KeyId=key_id
)
Replace 'YOUR_STREAM_NAME' with the actual name of your Kinesis Data Stream.
  1. Verify that server-side encryption with KMS is enabled for the Kinesis Data Stream:
response = kinesis_client.describe_stream(StreamName=stream_name)
encryption_type = response['StreamDescription'].get('EncryptionType', 'NONE')
key_id = response['StreamDescription'].get('KeyId', 'N/A')

print(f"Stream: {stream_name}")
print(f"Encryption Type: {encryption_type}")
print(f"Key ID: {key_id}")
  1. Run the Python script to apply the changes and verify that server-side encryption with KMS is enabled for the Kinesis Data Stream.
By following these steps, you can remediate the misconfiguration of not having Kinesis Server Side Encryption enabled for Kinesis using Python.

Additional Reading: