AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Kinesis Stream Encrypted With CMK
More Info:
Ensure Amazon Kinesis streams are utilizing KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default encryption keys created by Amazon for Kinesis service) in order to have more granular control over your data streams encryption/decryption process. Kinesis is an AWS streaming data service that provides you with the ability to build and manage your own streaming data applications for specialized needs. An AWS Kinesis stream is an ordered sequence of data records collected within a dedicated storage layer.
Risk Level
High
Address
Cost optimization, Operational Maturity, Security
Compliance Standards
ISO27001, HIPAA
Triage and Remediation
Remediation
To remediate the misconfiguration of a Kinesis Stream encrypted with a Customer Master Key (CMK) for AWS DynamoDB using the AWS Management Console, follow these steps:
-
Access the AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com.
-
Navigate to DynamoDB Service: Click on the “Services” dropdown menu at the top left corner of the console. Under the “Database” section, click on “DynamoDB” to open the DynamoDB dashboard.
-
Select the DynamoDB Table: In the DynamoDB dashboard, locate and click on the table that you want to remediate the encryption settings for.
-
Edit Table Encryption Settings:
- Click on the “Overview” tab to view the details of the selected DynamoDB table.
- In the “Overview” tab, click on the “Manage” button next to the “Encryption” section.
-
Update Encryption Settings:
- In the “Encryption” settings page, locate the “Encryption Type” section.
- Click on the “Edit” button to modify the encryption settings for the DynamoDB table.
-
Select Encryption Type:
- In the “Edit encryption” dialog box, choose the desired encryption type. To remediate the misconfiguration of Kinesis Stream encryption with CMK, select “AWS managed key (AWS KMS)“.
-
Choose AWS Managed Key (KMS):
- Select the appropriate AWS managed key (KMS) from the dropdown list. Ensure that you choose the key that aligns with your security and compliance requirements.
-
Save Changes:
- After selecting the AWS managed key (KMS), click on the “Save” button to apply the encryption settings changes to the DynamoDB table.
-
Verify Encryption Settings:
- Once the changes are saved, verify that the encryption settings have been successfully updated to use the AWS managed key (KMS) instead of the Kinesis Stream encryption.
By following these steps, you can remediate the misconfiguration of a Kinesis Stream encrypted with a CMK for AWS DynamoDB using the AWS Management Console.
To remediate the misconfiguration of a Kinesis Stream encrypted with a Customer Managed Key (CMK) for AWS DynamoDB using AWS CLI, you can follow these steps:
-
Identify the DynamoDB Table: First, identify the DynamoDB table that is using the Kinesis Stream encrypted with CMK.
-
Disable Encryption with CMK for Kinesis Stream: To remediate this misconfiguration, you will need to disable encryption with CMK for the Kinesis Stream associated with the DynamoDB table. You can achieve this by updating the Kinesis Stream settings.
-
Update Kinesis Stream Encryption Settings:
-
Open the AWS CLI and run the following command to update the encryption settings of the Kinesis Stream associated with the DynamoDB table:
aws kinesis update-stream --stream-name YOUR_STREAM_NAME --encryption-type NONEReplace
YOUR_STREAM_NAMEwith the actual name of the Kinesis Stream associated with the DynamoDB table.
-
-
Verify Encryption Settings: Once you have updated the encryption settings for the Kinesis Stream, verify that the encryption type is set to
NONEto ensure that the Kinesis Stream is no longer encrypted with a CMK. -
Monitor DynamoDB Table: Monitor the DynamoDB table to ensure that there are no issues or disruptions after making this change.
By following these steps and updating the encryption settings for the Kinesis Stream associated with the DynamoDB table to use encryption type NONE, you can remediate the misconfiguration of a Kinesis Stream encrypted with a CMK for AWS DynamoDB.
To remediate the misconfiguration of a Kinesis Stream not being encrypted with a Customer Managed Key (CMK) in AWS, we need to create a new Kinesis Stream with encryption enabled using a CMK. Here are the step-by-step instructions on how to remediate this issue for AWS DynamoDB using Python:
- Import the necessary Python libraries:
import boto3
- Create a new Kinesis Stream with encryption enabled:
def remediate_kinesis_stream_encryption(stream_name, cmk_arn):
client = boto3.client('kinesis')
response = client.create_stream(
StreamName=stream_name,
ShardCount=1,
EncryptionType='KMS',
KmsKeyId=cmk_arn
)
print(f"New Kinesis Stream '{stream_name}' created with encryption using CMK '{cmk_arn}'")
- Replace the
stream_nameandcmk_arnvariables with your desired values:
stream_name = 'your-kinesis-stream-name'
cmk_arn = 'your-cmk-arn'
- Call the
remediate_kinesis_stream_encryptionfunction with the appropriate parameters:
remediate_kinesis_stream_encryption(stream_name, cmk_arn)
- Run the Python script to create the new Kinesis Stream with encryption enabled using a CMK:
if __name__ == '__main__':
remediate_kinesis_stream_encryption(stream_name, cmk_arn)
By following these steps and running the Python script, you can remediate the misconfiguration of a Kinesis Stream not being encrypted with a CMK in AWS DynamoDB.