To meet strict regulatory requirements and improve the security of your data at rest, it's important to ensure that your Amazon Kinesis data streams are encrypted using Server-Side Encryption (SSE). Amazon Kinesis is a powerful streaming platform that allows you to develop and manage your own custom streaming data applications to address specific business needs. A Kinesis data stream is essentially an ordered sequence of data records stored in a dedicated storage layer. By using Server-Side Encryption, your sensitive data is encrypted before being written to the Kinesis stream storage layer and decrypted after retrieval. Implementing Server-Side Encryption (SSE) for Amazon Kinesis data streams adds an extra layer of security on top of authentication and authorization. However, it's important to note that SSE only encrypts incoming data after encryption is enabled. Any preexisting data that is available in an unencrypted stream cannot be encrypted once Server-Side Encryption has been enabled.


To ensure that Amazon Kinesis data streams are encrypted, you can follow these remediation steps:

  1. Enable Server-Side Encryption (SSE) for your Amazon Kinesis data streams. You can enable SSE by selecting the "Enable Server-Side Encryption" option when creating a new Kinesis data stream or modifying an existing one. SSE can be configured to use AWS Key Management Service (KMS) or Amazon S3-managed encryption keys.
  2. Ensure that all new Amazon Kinesis data streams are created with SSE enabled by default. You can accomplish this by creating an IAM policy that requires SSE for all new Kinesis data streams.
  3. Audit existing Amazon Kinesis data streams to ensure that SSE is enabled. You can do this using the AWS CLI, AWS Management Console, or AWS SDKs.
  4. Monitor the Kinesis data stream for unauthorized access attempts. You can do this by using AWS CloudTrail, AWS Config, or AWS Security Hub to track and analyze access logs.
  5. Rotate encryption keys on a regular basis. This can help prevent unauthorized access and ensure that the encryption keys remain secure.
  6. Educate your team on the importance of encrypting data streams and how to properly use SSE with Amazon Kinesis data streams.

By following these remediation steps, you can ensure that your Amazon Kinesis data streams are encrypted using Server-Side Encryption, which helps meet regulatory requirements and improves the security of your data at rest.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.