More Info:

Ensure Amazon Kinesis streams are utilizing KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default encryption keys created by Amazon for Kinesis service) in order to have more granular control over your data streams encryption/decryption process. Kinesis is an AWS streaming data service that provides you with the ability to build and manage your own streaming data applications for specialized needs. An AWS Kinesis stream is an ordered sequence of data records collected within a dedicated storage layer.

Risk Level

High

Address

Cost optimization, Operational Maturity, Security

Compliance Standards

ISO27001, HIPAA

Triage and Remediation

Remediation

To remediate the misconfiguration of a Kinesis Stream encrypted with a Customer Master Key (CMK) for AWS DynamoDB using the AWS Management Console, follow these steps:

  1. Access the AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to DynamoDB Service: Click on the “Services” dropdown menu at the top left corner of the console. Under the “Database” section, click on “DynamoDB” to open the DynamoDB dashboard.

  3. Select the DynamoDB Table: In the DynamoDB dashboard, locate and click on the table that you want to remediate the encryption settings for.

  4. Edit Table Encryption Settings:

    • Click on the “Overview” tab to view the details of the selected DynamoDB table.
    • In the “Overview” tab, click on the “Manage” button next to the “Encryption” section.
  5. Update Encryption Settings:

    • In the “Encryption” settings page, locate the “Encryption Type” section.
    • Click on the “Edit” button to modify the encryption settings for the DynamoDB table.
  6. Select Encryption Type:

    • In the “Edit encryption” dialog box, choose the desired encryption type. To remediate the misconfiguration of Kinesis Stream encryption with CMK, select “AWS managed key (AWS KMS)”.
  7. Choose AWS Managed Key (KMS):

    • Select the appropriate AWS managed key (KMS) from the dropdown list. Ensure that you choose the key that aligns with your security and compliance requirements.
  8. Save Changes:

    • After selecting the AWS managed key (KMS), click on the “Save” button to apply the encryption settings changes to the DynamoDB table.
  9. Verify Encryption Settings:

    • Once the changes are saved, verify that the encryption settings have been successfully updated to use the AWS managed key (KMS) instead of the Kinesis Stream encryption.

By following these steps, you can remediate the misconfiguration of a Kinesis Stream encrypted with a CMK for AWS DynamoDB using the AWS Management Console.

Additional Reading: