AWS Kinesis streams encryption is using default KMS keys instead of Customer's Managed Master Keys
Description
This policy identifies the AWS Kinesis streams which are encrypted with default KMS keys and not with Master Keys managed by Customer. It is a best practice to use customer managed Master Keys to encrypt your Amazon Kinesis streams data. It gives you full control over the encrypted data.
Code Example
go
resource "aws_kinesis_stream" "pass" {
...
kms_key_id = aws_kms_key.sse_aws_kms_key_id.id
}Remediation
AWS Console
. Sign in to the AWS Console
. Go to Kinesis Service
. Select the reported Kinesis data stream for the corresponding region
. Under Server-side encryption, Click on Edit
. Choose Enabled
. Under KMS master key, You can choose any KMS other than the default (Default) aws/kinesis
. Click Save === Fix - Buildtime
Terraform
- Resource: aws_kinesis_stream
- Arguments: kms_key_id
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0234 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_185 |