Kinesis should use in-transit encryption

• GG_ID: GG_IAC_0052
• Severity: HIGH
• Complexity: HIGH
• Categories: DATA, NETWORK, PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

Amazon Kinesis Data Streams is a serverless streaming data service that makes it easy to capture, process, and store data streams at any scale.

Server-side encryption using AWS KMS ensures that the data is protected when it is moving from one location to another. You must create a User-Generated KMS Master key and specify it manually for a secure access control management.

Impact

Not encrypting data in-transit could lead to data leak in case of an attack.

Remediation guidelines

Enable server-side encryption for a new or already-existing Kinesis stream through the AWS Management Console. Make sure to unselect the (default) aws/kinesis KMS master key and generate your own. In your configuration file, you must set the encryption_type variable to "KMS" and put you personal key in kms_key_id.

External documentation

• Server-Side Encryption for Kinesis Data Streams
• User-Generated KMS Master Keys