iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon Kinesis is a fully managed service for real-time streaming data. Encryption at rest ensures that data stored in Kinesis streams is protected from unauthorized access, even if storage media is compromised. This encryption can be enabled through AWS KMS (Key Management Service), which allows you to manage your encryption keys for Kinesis data streams.

By enabling encryption at rest for Kinesis streams, sensitive data stored in your streams is securely encrypted, helping meet compliance and security requirements.

Rationale:

• Data Protection: Encryption at rest ensures that data stored in Kinesis is protected from unauthorized access, ensuring compliance with industry regulations.

• Compliance: Many regulatory frameworks such as PCI-DSS, HIPAA, SOC 2, and GDPR require encryption of sensitive data at rest.

• Security Best Practices: Encrypting data at rest is a fundamental security best practice, mitigating the risk of unauthorized access to data, even in the event of a breach or physical theft.

• Data Integrity: Ensures that sensitive data cannot be tampered with or accessed by unauthorized parties while stored in the stream.

Impact:

Pros:

• Enhanced Security: Encrypting data ensures it is protected from unauthorized access.

• Compliance: Helps meet regulatory and compliance requirements for encryption of data at rest.

• Automatic Key Management: Integrated with AWS KMS for key management and rotation, reducing administrative overhead.

Cons:

• Performance Overhead: Encryption and decryption processes may introduce a slight performance impact.

• Cost: Using AWS KMS may incur additional costs related to key management and usage.

• Complexity: Additional configuration is required to enable encryption and manage KMS keys.

Default Value:

By default, Amazon Kinesis Streams do not have encryption at rest enabled. You must explicitly enable encryption when creating the stream or modify an existing stream to enable encryption.

Pre-requisite:

• AWS IAM Permissions:

  • kinesis:DescribeStream

  • kinesis:UpdateStream

  • kms:CreateKey

  • kms:DescribeKey

  • kms:Encrypt

  • kms:Decrypt

• AWS CLI installed and configured.

• AWS KMS should be available for key management if using custom encryption keys.

• Kinesis Stream should be active and accessible.

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon Kinesis under Services.

3. In the Kinesis Dashboard, select Data Streams.

4. Choose the stream you want to check for encryption.

5. Under Stream Details, look for the Encryption section:

   • If Encryption at Rest is enabled, the stream will show as encrypted.

   • If Encryption at Rest is disabled, the stream will not display any encryption status.

6. To enable encryption at rest, click Edit, select Enable Encryption at Rest, and choose a KMS Key (either AWS-managed KMS key or a Customer-managed KMS key).

7. Save the changes to apply the encryption setting.

Using AWS CLI:

To check if Encryption at Rest is enabled for a Kinesis stream, run:

aws kinesis describe-stream --stream-name <stream-name> --query 'StreamDescription.EncryptionType'

If the EncryptionType is not KMS, encryption is not enabled. To enable encryption at rest using AWS KMS, run:

aws kinesis start-stream-encryption --stream-name <stream-name> --encryption-type KMS --key-id <kms-key-id>

To verify the encryption status after enabling it, run:

aws kinesis describe-stream --stream-name <stream-name> --query 'StreamDescription.EncryptionType'

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon Kinesis.

2. In the Kinesis Dashboard, select Data Streams.

3. Choose the stream you wish to configure.

4. Under Stream Details, check the Encryption section to verify if Encryption at Rest is enabled.

5. If encryption is not enabled:

   • Click Modify.

   • Under Encryption, choose Enable Encryption at Rest.

   • Select AWS KMS as the encryption method and choose an appropriate KMS Key.

6. Save the changes to enable encryption.

Using AWS CLI:

To enable encryption at rest on a Kinesis stream, run:

aws kinesis start-stream-encryption --stream-name <stream-name> --encryption-type KMS --key-id <kms-key-id>

To confirm the encryption status, run:

aws kinesis describe-stream --stream-name <stream-name> --query 'StreamDescription.EncryptionType'

Backout Plan:

Console Process

1. Go to the Amazon Kinesis Console:

   • Open the Amazon Kinesis console.

   • Select the stream you want to configure.

2. Enable Server-Side Encryption:

   • Navigate to the Encryption settings.

   • Choose AWS KMS and select a Customer Master Key (CMK) or use the default AWS-managed key.

   • Save the changes.

CLI Process

Enable Encryption:

aws kinesis start-stream-encryption \
--stream-name <stream-name> \
--encryption-type KMS \
--key-id <key-id>

Verify Encryption:
aws kinesis describe-stream --stream-name <stream-name>

• Check the EncryptionType field in the output. It should say KMS.

Note:

• Encryption Key Management: Ensure that your KMS keys are properly managed and rotated according to your organization's key management policy.

• Test in Staging: Before enabling encryption on production streams, it is advisable to test it in a staging environment to confirm that encryption does not introduce performance or compatibility issues.

• KMS Limits: Be mindful of any limits on the number of keys or encryption requests with AWS KMS.

References:

• Amazon Kinesis Documentation: Stream Encryption

• AWS CLI: start-stream-encryption

• AWS CLI: describe-stream

CIS Controls Mapping: