Amazon Kinesis

AWS Kinesis Using Default KMS key For Server-Side Encryption

Risk Level: Medium

Description: 

This plugin ensures Kinesis Streams encryption is enabled.  The data sent through the process in AWS Kinesis Streams must be encrypted in order to secure the data flow.  It is recommended to use customer-managed keys instead of default keys to have more flexibility.

About the Service :

Amazon Kinesis is a service that provides an easy process to collect, analyze real-time streaming data and derive valuable insights from it. As per the AWS description, it is highly scalable and can help you ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Kinesis delivers real-time insights instead of waiting for the stream to end to come up with analytics.

Impact : 

It is highly recommended to properly encrypt AWS Kinesis Stream with customer-managed KMS keys. In case the encryption is not enabled, data will be visible to an attacker if it is accessed without authorization. AWS Customer managed keys provide better flexibility to increase encryption level and thus, deliver better security for the data stream. The default keys provide a minimal level of security.

Steps to reproduce :

  1. Log in to AWS Console.
  2. Navigate to the Kinesis Dashboard. You can use the link (https://console.aws.amazon.com/kinesis) if already logged in.
  3. Select Data Streams in the left navigation panel.
  4. Click on the stream that you want to examine by clicking on its Name.
  5. Move to the Configuration tab.
  6. Scroll down to the Encryption section and check if it is enabled or not. If the value is set to enabled, but the key specified is “alias/aws/kinesis” the vulnerability exists.
  7. Repeat steps for other data streams.

 

Steps for remediation :

Enable encryption using CMK KMS for all Kinesis Data Streams:

  1. Log in to AWS Console.
  2. Navigate to the Kinesis Dashboard. You can use the link (https://console.aws.amazon.com/kinesis) if already logged in.
  3. Select Data Streams in the left navigation panel.
  4. Click on the vulnerable stream by clicking on its Name.
  5. Move to the Configuration tab.
  6. Scroll down to the Encryption section and click on Edit.
  7. Select Customer-managed CMK KMS and specify the KMS key ARN you wish to use for encryption.
  8. Finally, click on Save changes after completing the configurations.
  9. Repeat steps for other data streams.