Ensure AWS Kinesis streams are encrypted with KMS customer master keys

Use KMS customer-managed keys (CMK ) to protect the Kinesis Streams and metadata. Using KMS CMK, you gain full control over who can use the keys to access AWS Kinesis data (including the system metadata). The AWS KMS service allows you to create, rotate, disable and audit CMK encryption keys

Risk Level: High
Cloud Entity: Amazon Kinesis
CloudGuard Rule ID: D9.CFT.CRY.09
Covered by Spectral: Yes
Category: Analytics


AWS_Kinesis_Stream should have EncryptionType=KMS


From CFT
Set AWS::Kinesis::Stream EncryptionType property to be set to 'KMS'


  1. https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.htm://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html

Amazon Kinesis

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.

Compliance Frameworks

  • AWS CloudFormation ruleset