Vulnerabilities
Misconfiguration
Compliance
AWS > Kinesis >

Enable In Transit Encryption

HIGH
Source
Trivy/CSPM
CSPM ID
kinesis-streams-encrypted
ID
AVD-AWS-0064
cloudformation management_console terraform

Kinesis stream is unencrypted.

Kinesis streams should be encrypted to ensure sensitive data is kept private. Additionally, non-default KMS keys should be used so granularity of access control can be ensured.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Enable in transit encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

Resources:
  GoodExample:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: GoodExample
      RetentionPeriodHours: 168
      ShardCount: 3
      StreamEncryption:
        EncryptionType: KMS
        KeyId: alias/key
      Tags:
        - Key: Environment
          Value: Production

  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for “Kinesis”. Step

  3. Under the “Amazon Kinesis dashboard” choose “Data Firehose” or “Delivery streams” from the left navigation panel. Step

  4. Select the “Firehose Delivery System” that needs to be verified and click on the “Name” to access the delivery stream.Step

  5. Select the “Configuration” tab and scroll down to “Amazon S3 destination”. Click on the S3 bucket link to check the “Encryption” value.Step

  6. In the Amazon S3 bucket configuration tab that opens, select “Properties” tab. Step

  7. Scroll down to “Default encryption”, and if it’s set to “Disabled” then the selected “Firehose Delivery System” data is not encrypted. Step

  8. Click “Edit” and on the “Edit default encryption” page select “Enable”. Step

  9. Under the “Encryption key type” select “AWS Key Management Service key (SSE-KMS)”. Step

  10. In the “AWS KMS key” section select option “Choose from your AWS KMS keys” and in the “AWS KMS key” select your key from the dropdown.Step

  11. Select the “Enable” option under “Bucket Key” and click on “Save changes” to enable the encryption.Step

  12. On the successful configuration changes, one will get “Successfully edited default encryption” message. Step

  13. Repeat step number 4 and 12 to verify all other “Firehose Delivery System”.

Enable in transit encryption

1
2
3
4

resource "aws_kinesis_stream" "good_example" {
  encryption_type = "KMS"
  kms_key_id      = "my/special/key"
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use