🛡️ AWS Kinesis Stream is not encrypted at rest🟢

• Contextual name: 🛡️ Stream is not encrypted at rest🟢
• ID: /ce/ca/aws/kinesis/stream-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Kinesis Stream
  • 🔌 AWS Kinesis Stream - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [Kinesis.1] Kinesis streams should be encrypted at rest

Description

Open File

Description

This policy identifies AWS Kinesis Stream that do not have server-side encryption enabled.

Rationale

Encrypting data at rest ensures that data stored in Kinesis streams is not readable by unauthorized users, protecting it from potential data breaches if the underlying storage is compromised.

Audit

This policy flags an AWS Kinesis Stream as INCOMPLIANT if the Encryption Type field is set to NONE.

Remediation

Open File

Remediation

Enable Server-Side Encryption

From AWS CLI

To enable server-side encryption using the AWS CLI, run the start-stream-encryption command:

aws kinesis start-stream-encryption \
    --stream-name {{stream-name}} \
    --encryption-type KMS \
    --key-id {{kms-key-id}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Kinesis.1] Kinesis streams should be encrypted at rest			1		no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			14		no data
💼 Cloudaware Framework → 💼 Data Encryption			54		no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			12		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			12		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	32		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	31		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	20		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			32		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		31		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			20		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		31		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			20		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			159		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			135		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			151		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			31		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		21		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	20		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			19		no data