Ensure AWS Kinesis streams are encrypted using SSE

Error: AWS Kinesis streams are not encrypted using SSE

Bridgecrew Policy ID: BC_AWS_GENERAL_22
Checkov Check ID: CKV_AWS_43
Severity: MEDIUM

AWS Kinesis streams are not encrypted using SSE


Amazon Kinesis Data Firehose is a streaming data pipeline service that can route messages to destinations such as S3, Redshift Elasticsearch and others. It can also be used to transform data properties before streaming to a defined destination.

Kinesis enables server-side data encryption if the data stream contains sensitive information. When sending data from a producer to a data stream Kinesis encrypts the data using an AWS KMS key before storing the data at rest.

We recommend you ensure Kinesis streams are encrypted using server-side encryption (SSE).

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Select Services and search for Kinesis.
  3. Under the Amazon Kinesis dashboard select Data Firehose from the left navigation panel.
  4. Select the Firehose Delivery System that needs to be verified and click on the Name to access the delivery stream.
  5. Select the Details tab and scroll down to Amazon S3 destination. Check the Encryption value and if it's set to Disabled then the selected Firehose Delivery System data is not encrypted.
  6. Repeat steps 4 and 5 to verify another Firehose Delivery System.
  7. To enable the Encryption on selected Firehose Delivery System click on the Name to access the delivery stream. Under the Details tab, click Edit to make the changes in Amazon S3 destination.
  8. Click Enable next to the S3 encryption to enable the encryption.
  9. Select the KMS master key from the dropdown list. Select the (Default( aws/s3 )) KMS key or an AWS KMS Customer Master Key (CMK).
  10. Click Save .
    A Successfully Updated message appears.

CLI Command

Enables or updates server-side encryption using an AWS KMS key for a specified stream.

aws kinesis start-stream-encryption \
    --encryption-type KMS \
    --key-id arn:aws:kms:us-west-2:012345678912:key/a3c4a7cd-728b-45dd-b334-4d3eb496e452 \
    --stream-name samplestream

Fix - Buildtime


  • Resource: aws_kinesis_stream
  • Arguments:
    encryption_type - (Optional) The encryption type to use. The only acceptable values are NONE or KMS. The default value is NONE.
    kms_key_id - (Optional) The GUID for the customer-managed KMS key to use for encryption. You can also use a Kinesis-owned master key by specifying the alias alias/aws/kinesis.
resource "aws_kinesis_stream" "test_stream" {
  name             = "terraform-kinesis-test"
 + encryption_type = KMS
 + kms_key_id = <value>


  • Resource: AWS::Kinesis::Stream
  • Arguments: Properties.StreamEncryption.EncryptionType
      Type: AWS::Kinesis::Stream
             EncryptionType: KMS