Ensure sufficient data retention period is set for AWS Kinesis Streams

MEDIUM

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

In AWS Console -

Sign in to AWS Console and go to Kinesis dashboard.
In the navigation panel select Data Streams.
Select the Kinesis stream and select Details.
Check the data retention value.

In Terraform -

In the aws_kinesis_stream resource, set the retention_period field to a numeric value in hours.

References:
https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html
https://registry.terraform.io/providers/hashicorp/aws/3.76.1/docs/resources/kinesis_stream#retention_period

Policy Details

Rule Reference ID: AC_AWS_0158

CSP: AWS

Remediation Available: Yes

Domain: Resilience

Resource: aws_kinesis_stream

Resource Category: Analytics

Resource Type: Kinesis

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001
CCM
SOC2

Detections