Ensure KMS customer managed keys are used for encryption in AWS Kinesis Streams

HIGH

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

In AWS Console -

Sign in to the AWS Console and open the Kinesis Data Streams Console.
Choose the Kinesis stream you wish to edit.
Select Details.
Under Server-side encryption, select Edit.
Set the KMS key configuration as needed and set as Enabled.
Select Save.

In Terraform -

In the aws_kinesis_stream resource, set the kms_key_id to the appropriate value.

References:
https://docs.aws.amazon.com/streams/latest/dev/what-is-sse.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#kms_key_id

Policy Details

Rule Reference ID: AC_AWS_0157

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_kinesis_stream

Resource Category: Analytics

Resource Type: Kinesis

Frameworks

PCI-DSSv4.0
CCM
ISO-27001
NY-DFS
SOC2
GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1