Triage AWS Kinesis Streams should be encrypted ENCRYPTION_NOT_ENABLED
Quick Links
- Configure AWS Kinesis Streams should be encrypted
- Use Case for AWS Kinesis Streams should be encrypted
- Triage Guides by Violation Type
ENCRYPTION_NOT_ENABLED
Understand
Why should I care about fixing this issue?
Ensuring your Kinesis Streams are encrypted with KMS is crucial for protecting sensitive data and meeting compliance requirements. Unencrypted streams can be vulnerable to unauthorized access and data breaches.
Validate
How am I sure that this alert is true and accurate?
This alert is based on the EncryptionType field of your Kinesis Stream's description. To manually check, use the AWS CLI command:
aws kinesis describe-stream --stream-name <your-stream-name>
Verify that the EncryptionType field is set to KMS.
Does this policy scan on a schedule or is it Reactive?
This policy is reactive and will evaluate whenever the encryption configuration of the Kinesis Stream changes.
Triage
What is the impact if it is unfixed?
Unencrypted Kinesis Streams can lead to data breaches, non-compliance with data protection regulations, and potential financial and reputational damage.
Does this problem get worse over time if it is unaddressed?
Yes, the longer the stream remains unencrypted, the greater the risk of data exposure.
Can remediation cause outages or downtime to any other running service?
Enabling KMS encryption on an existing Kinesis Stream may require stopping and recreating the stream, which can cause temporary downtime.
Act
What do I do to fix this alarm?
- Stop the Kinesis Stream if it is currently in use.
- Enable KMS encryption for the stream using the AWS Management Console, CLI, or SDK.
- Restart the stream.
Reflect
What should I do if this alarm wasn't a good use of time?
If this policy generates frequent false positives or is not relevant to your use case, consider adjusting the policy settings or disabling it. Review your organization's security requirements to ensure the policy aligns with your needs.