AWS Kinesis streams are encrypted with customer managed CMK

Use KMS customer-managed keys to protect the Kinesis Streams and metadata. Using KMS customer-managed keys, you gain full control over who can use the keys to access AWS Kinesis data (including the system metadata). The AWS KMS service allows you to create, rotate, disable and audit CMK encryption keys.

Risk Level: Low
Cloud Entity: Amazon Kinesis
CloudGuard Rule ID: D9.AWS.CRY.21
Covered by Spectral: Yes
Category: Analytics


Kinesis should have encryptionKey.isCustomerManaged=true


From Portal

  1. Sign in to the AWS Console.
  2. Go to Amazon Kinesis Service.
  3. Select the reported Kinesis data stream and click on 'configuration'.
  4. Choose 'Encryption' tab under 'configuration'.
  5. Check 'Enable serve-side encryption' box and select 'Use customer managed CMK'.
  6. Click Save Changes.

From TF

resource "aws_kinesis_stream" "test" {
	name             = "terraform-kinesis-test"
	shard_count      = "VALUE"
	retention_period = "VALUE"
	shard_level_metrics = [
	tags = {
		Environment = "test"
	+ encryption_type = ... # i.e "KMS" but different from None
	kms_key_id = "alias/aws/kinesis"

From Command Line

aws kinesis start-stream-encryption --encryption-type KMS --key-id KMS_KEY_ID --stream-name EXAMPLE_NAME



Amazon Kinesis

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset