Ensure AWS Kinesis Streams Keys are rotated

Rotate the keys of your Kinesis Streams in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for key management within your organization.

Risk Level: Low
Cloud Entity: Amazon Kinesis
CloudGuard Rule ID: D9.AWS.CRY.20
Covered by Spectral: Yes
Category: Analytics


Kinesis where encrypted should have encryptionKey.rotationStatus=true


From Portal

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console.
  2. In the navigation pane, choose 'Customer managed keys'.
  3. Choose the 'alias or 'key ID' of a KMS key.
  4. Choose the 'Key rotation' tab.
  5. Select or clear the Automatically rotate this KMS key every year check box.
  6. Choose Save.

Note: The Key rotation tab appears only on the detail page of symmetric encryption KMS keys with key material that AWS KMS generated (the Origin is AWS_KMS), including multi-Region symmetric encryption KMS keys. You cannot automatically rotate asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in custom key stores. However, you can rotate them manually. AWS managed keys are automatically rotated every 3 years.

From TF

resource "aws_kms_key" "key1" {
	is_enabled              = true
	+ enable_key_rotation    = true

From Command Line

aws kms enable-key-rotation --kms-key-id KMS_KEY_ID


  1. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
  2. https://docs.aws.amazon.com/streams/latest/dev/what-is-sse.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key

Amazon Kinesis

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset