Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Kinesis > Enable In Transit Encryption
HIGH
Source
Trivy/CSPM
CSPM ID
kinesis-streams-encrypted
ID
AVD-AWS-0064
cloudformation management_console terraform

Kinesis stream is unencrypted.

Kinesis streams should be encrypted to ensure sensitive data is kept private. Additionally, non-default KMS keys should be used so granularity of access control can be ensured.

Impact

Intercepted data can be read in transit

Follow the appropriate remediation steps below to resolve the issue.

Enable in transit encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: GoodExample
      RetentionPeriodHours: 168
      ShardCount: 3
      StreamEncryption:
        EncryptionType: KMS
        KeyId: alis/key
      Tags:
        -
          Key: Environment 
          Value: Production
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for “Kinesis”. Step
  3. Under the “Amazon Kinesis dashboard” choose “Data Firehose” from the left navigation panel. Step
  4. Select the “Firehose Delivery System” that needs to be verified and click on the “Name” to access the delivery stream.Step
  5. Select the “Details” tab and scroll down to “Amazon S3 destination”. Check the “Encryption” value and if it’s set to “Disabled” then the selected “Firehose Delivery System” data is not encrypted. Step
  6. Repeat steps number 4 and 5 to verify another “Firehose Delivery System”.
  7. To enable the “Encryption” on selected “Firehose Delivery System” click on the “Name” to access the delivery stream. Under the “Details” tab click on the “Edit” button to make the changes in “Amazon S3 destination”. Step
  8. Click on the “Enable” button next to the “S3 encryption” to enable the encryption. Step
  9. Choose the “KMS master key” from the dropdown list. Choose either the (“Default( aws/s3 )") KMS key or an AWS KMS Customer Master Key (CMK).Step
  10. Click on the “Save” button to make the necessary changes. On the successful configuration changes, one will get “Successfully updated delivery stream” message. Step

Enable in transit encryption

1
2
3
4

resource "aws_kinesis_stream" "good_example" {
  encryption_type = "KMS"
  kms_key_id = "my/special/key"
}
Aqua SaaS Plans
The fastest track to get started with Aqua
Start Now
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2022 Aqua Security Software Ltd.   Privacy Policy | Terms of Use