Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)

Error: AWS Kinesis streams encryption is using default KMS keys instead of Customer's Managed Master Keys
Bridgecrew Policy ID: BC_AWS_GENERAL_105
Checkov Check ID: CKV_AWS_185
Severity: MEDIUM

AWS Kinesis streams encryption is using default KMS keys instead of Customer's Managed Master Keys

Description

This policy identifies the AWS Kinesis streams which are encrypted with default KMS keys and not with Master Keys managed by Customer. It is a best practice to use customer managed Master Keys to encrypt your Amazon Kinesis streams data. It gives you full control over the encrypted data.

Fix - Runtime

AWS Console

  1. Sign in to the AWS Console
  2. Go to Kinesis Service
  3. Select the reported Kinesis data stream for the corresponding region
  4. Under Server-side encryption, Click on Edit
  5. Choose Enabled
  6. Under KMS master key, You can choose any KMS other than the default (Default) aws/kinesis
  7. Click Save

Fix - Buildtime

Terraform

  • Resource: aws_kinesis_stream
  • Arguments: kms_key_id
resource "aws_kinesis_stream" "pass" {
  ...
  kms_key_id      = aws_kms_key.sse_aws_kms_key_id.id
}