Skip to main content

Kinesis should use in-transit encryption

  • GG_ID: GG_IAC_0052
  • Severity: HIGH
  • Complexity: HIGH
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


Amazon Kinesis Data Streams is a serverless streaming data service that makes it easy to capture, process, and store data streams at any scale.

Server-side encryption using AWS KMS ensures that the data is protected when it is moving from one location to another. You must create a User-Generated KMS Master key and specify it manually for a secure access control management.


Not encrypting data in-transit could lead to data leak in case of an attack.

Remediation guidelines#

Enable server-side encryption for a new or already-existing Kinesis stream through the AWS Management Console. Make sure to unselect the (default) aws/kinesis KMS master key and generate your own. In your configuration file, you must set the encryption_type variable to "KMS" and put you personal key in kms_key_id.

External documentation#