Kinesis Not Encrypted With KMS

  • Query id: f2ea6481-1d31-4d40-946a-520dc6321dd7
  • Query name: Kinesis Not Encrypted With KMS
  • Platform: Ansible
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

AWS Kinesis Streams and metadata should be protected with KMS
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Encrypt Kinesis Stream test-stream.
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v2
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: disabled
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v3
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v4
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: NONE
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v5
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: KMS
    wait: yes
    wait_timeout: 600
  register: test_stream

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Encrypt Kinesis Stream test-stream. v6
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600