Kinesis should use in-transit encryption
- GG_ID: GG_IAC_0052
- Severity: HIGH
- Complexity: HIGH
- Categories: DATA, NETWORK, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
#
DescriptionAmazon Kinesis Data Streams is a serverless streaming data service that makes it easy to capture, process, and store data streams at any scale.
Server-side encryption using AWS KMS ensures that the data is protected when it is moving from one location to another. You must create a User-Generated KMS Master key and specify it manually for a secure access control management.
#
ImpactNot encrypting data in-transit could lead to data leak in case of an attack.
#
Remediation guidelinesEnable server-side encryption for a new or already-existing Kinesis stream through
the AWS Management Console. Make sure to unselect the (default) aws/kinesis KMS master
key and generate your own.
In your configuration file, you must set the encryption_type
variable to "KMS" and put
you personal key in kms_key_id
.