|

Kinesis – Consider Making Streams Encrypted at Rest

Last updated on

Amazon Kinesis Data Streams should be encrypted at rest using AWS Key Management Service (KMS) to protect sensitive data from unauthorized access. This FinOps policy ensures that encryption is enabled at the resource level, satisfying both security requirements and compliance mandates such as AWS Foundational Security Best Practices and NIST SP 800-53.

This policy corresponds directly to AWS Security Hub control Kinesis.1, which flags any Kinesis Data Stream that lacks server-side encryption (SSE).

Why This Policy Matters

Unencrypted Kinesis streams expose data-in-rest to potential unauthorized access. This creates both a security risk and a compliance gap across regulated industries including healthcare, finance, and government.

Failing to encrypt Kinesis streams can result in:

  • Failed audits against frameworks such as NIST SP 800-53, PCI DSS, and SOC 2
  • Violations flagged by AWS Security Hub under the Kinesis.1 control
  • Increased risk surface for data exfiltration or insider threats
  • Potential regulatory penalties for non-compliant data handling

This policy applies to all Kinesis Data Streams handling any volume of data, including development and staging environments that may receive production-like payloads.

How It Helps Reduce Cloud Costs

Encryption at rest for Kinesis streams introduces a marginal cost increase through KMS API calls. However, the cost of not encrypting is significantly higher when accounting for incident response, audit remediation, and regulatory fines.

Teams that proactively enforce this policy avoid:

  • Emergency remediation costs following a security incident
  • Consultant and legal fees tied to compliance failures
  • Rework costs from failed security audits in CI/CD pipelines

Enforcing encryption from the start—through Infrastructure-as-Code—eliminates the need for reactive fixes.

Potential Savings

A single compliance audit failure tied to unencrypted data streams can cost between $50,000 and $500,000 in remediation, legal review, and process overhaul, depending on the regulatory context.

KMS costs for encrypting Kinesis streams are typically less than $5 per month per stream at standard throughput levels. The cost-to-risk ratio strongly favors enforcement.

Teams using Infracost to enforce this policy during the pull request stage avoid accumulating a backlog of non-compliant resources, which is where remediation costs compound over time.

Implementation Guide

Infrastructure-as-Code Example (Terraform)

The following examples show a non-compliant Kinesis stream configuration and its corrected version.

Non-compliant configuration (no encryption):

resource "aws_kinesis_stream" "example" {
  name             = "example-stream"
  shard_count      = 1
  retention_period = 24

  tags = {
    Environment = "production"
  }
}

This configuration does not enable server-side encryption. It will be flagged by AWS Security Hub as a Kinesis.1 violation.

Compliant configuration (encryption enabled with AWS-managed key):

resource "aws_kinesis_stream" "example" {
  name             = "example-stream"
  shard_count      = 1
  retention_period = 24

  stream_mode_details {
    stream_mode = "PROVISIONED"
  }

  encryption_type = "KMS"
  key_id          = "alias/aws/kinesis"

  tags = {
    Environment = "production"
  }
}

Compliant configuration (encryption enabled with customer-managed key):

resource "aws_kms_key" "kinesis_key" {
  description             = "KMS key for Kinesis stream encryption"
  deletion_window_in_days = 10
  enable_key_rotation     = true

  tags = {
    Environment = "production"
  }
}

resource "aws_kinesis_stream" "example" {
  name             = "example-stream"
  shard_count      = 1
  retention_period = 24

  encryption_type = "KMS"
  key_id          = aws_kms_key.kinesis_key.arn

  tags = {
    Environment = "production"
  }
}

Using a customer-managed KMS key (CMK) provides finer-grained access control, key rotation policies, and audit trail visibility through AWS CloudTrail.

Using the AWS-managed key (alias/aws/kinesis) is simpler and sufficient for many compliance requirements, though it offers less control.

Manual Step-by-Step Instructions

Follow these steps to identify and fix unencrypted Kinesis streams:

  1. Audit existing streams using the AWS CLI:
    aws kinesis list-streams
  2. Check encryption status for each stream:
    aws kinesis describe-stream-summary –stream-name <stream-name>

    Look for EncryptionType in the response. A value of NONE indicates a violation.
  3. Enable encryption on an existing stream via CLI:
    aws kinesis start-stream-encryption \
      –stream-name <stream-name> \
      –encryption-type KMS \
      –key-id alias/aws/kinesis
  4. Update your Terraform configuration to include encryption_type and key_id as shown in the examples above.
  5. Run terraform plan to confirm the change is detected and will be applied without destroying the stream.
  6. Apply the change:
    terraform apply
  7. Verify compliance by re-checking the stream in AWS Security Hub or re-running the describe command.

Best Practices

  • Always define encryption in IaC from the start. Retrofitting encryption to existing streams is more operationally complex than provisioning it correctly.
  • Prefer customer-managed KMS keys for production streams. This enables key rotation, access policies, and audit logging.
  • Enable KMS key rotation on all CMKs used for Kinesis encryption (enable_key_rotation = true).
  • Tag KMS keys to align with your cost allocation strategy and identify their associated services.
  • Apply this policy across all environments. Development and staging streams that receive production-like data carry the same compliance risk.
  • Integrate policy checks into CI/CD pipelines so that non-compliant configurations are caught before deployment.
  • Monitor with AWS Security Hub. Enable the Kinesis.1 control to receive automated findings for unencrypted streams.

Tools and Scripts to Help Implement

Infracost supports this policy and can detect missing encryption configuration on Kinesis streams automatically. This policy is available in Infracost, including in the free trial.

When integrated into your CI/CD pipeline, Infracost:

  • Detects non-compliant Kinesis stream configurations at the pull request stage, before infrastructure is deployed
  • Surfaces the policy violation alongside cost estimates, giving engineers full context in a single view
  • Enables FinOps teams to track remediation progress over time, measuring how the backlog of non-compliant resources is reduced
  • Prevents future violations by blocking or flagging PRs that introduce unencrypted streams

To get started, add Infracost to your CI/CD pipeline and enable the Kinesis encryption policy in your Infracost policy configuration. Teams using Infracost can enforce this policy consistently across all Terraform workspaces without manual review.

Additional tools:

  • AWS Security Hub – Enables the Kinesis.1 control for continuous compliance monitoring
  • AWS Config – Use the kinesis-stream-encrypted managed rule to detect unencrypted streams
  • Checkov – Static analysis tool for IaC that flags missing Kinesis encryption
  • tfsec – Scans Terraform files for security misconfigurations including unencrypted streams

Examples of Impact

Example 1: Healthcare data pipeline remediation

A healthcare organization running patient event data through 12 Kinesis streams failed a HIPAA readiness review because none of the streams had encryption enabled. Remediating the issue post-audit required a dedicated two-week engineering sprint, external security review, and updated documentation. Total remediation cost exceeded $80,000.

Had the encryption policy been enforced in Terraform from the start—and detected via Infracost in the PR pipeline—the fix would have been a one-line configuration change with no downstream incident.

Example 2: Financial services compliance gap

A fintech team discovered during a SOC 2 Type II audit that 8 of their 15 Kinesis streams lacked server-side encryption. The audit finding delayed certification by three months. The delayed certification cost the business two enterprise contracts that required SOC 2 compliance as a prerequisite.

Enforcing this FinOps policy in IaC would have prevented the gap from being introduced in the first place.

Considerations and Caveats

  • KMS costs are additive. Enabling encryption on Kinesis streams introduces KMS API call charges. At typical throughput levels, this is under $5/month per stream, but high-volume streams with many small records may incur higher API costs. Evaluate using aws/kinesis managed keys for cost efficiency in non-sensitive workloads.
  • Encryption cannot be disabled once enabled on a Kinesis stream without recreating it. Plan key management carefully before enabling CMK-based encryption.
  • Changing the KMS key on an existing stream is possible but requires careful coordination to avoid data access disruption.
  • AWS-managed keys vs. CMKs involve a compliance tradeoff. CMKs offer more control but require active key management. AWS-managed keys satisfy many compliance requirements with minimal overhead.
  • Cross-account access to encrypted streams requires explicit KMS key policy grants. Ensure your key policies allow access from all consuming accounts or roles.
  • Kinesis Data Firehose and Kinesis Data Analytics have separate encryption configurations. This policy specifically targets Kinesis Data Streams.
  • Terraform state may not immediately reflect encryption status after applying via CLI. Always manage encryption through IaC to maintain state consistency.

Frequently Asked Questions (FAQs)

Yes. This policy is available in Infracost, including in the free trial. Infracost detects missing encryption on Kinesis Data Streams automatically and surfaces violations during the pull request review stage.

This policy corresponds to Kinesis.1 in AWS Security Hub, which checks whether Kinesis Data Streams are encrypted at rest. Streams without server-side encryption enabled will generate a Security Hub finding.

No. AWS handles KMS encryption and decryption transparently. There is no measurable latency impact on stream throughput or consumer read performance.

Yes. Using alias/aws/kinesis satisfies the Kinesis.1 control and most compliance frameworks. Customer-managed keys are recommended when you need key rotation control, custom access policies, or detailed audit logging.

No. Enabling server-side encryption on an existing Kinesis stream is a non-disruptive operation. Existing data in the stream is not re-encrypted, but all new data written after enabling SSE will be encrypted.

Use Infracost’s policy enforcement feature to apply this check organization-wide. Combined with CI/CD integration, this ensures no new Kinesis stream can be deployed without encryption configured.

No. Kinesis Data Firehose has a separate encryption configuration. This policy specifically targets Kinesis Data Streams. Firehose encryption should be managed through its own dedicated policy.

At minimum, audit monthly using AWS Security Hub or AWS Config. For teams using IaC, Infracost can enforce this check on every pull request, effectively making continuous compliance the default.