Kinesis SSE Not Configured
- Query id: 7f65be75-90ab-4036-8c2a-410aef7bb650
- Query name: Kinesis SSE Not Configured
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
AWS Kinesis Stream should have SSE (Server Side Encryption) defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
EventStream1:
Type: AWS::Kinesis::Stream
Properties:
Name: EventStream
RetentionPeriodHours: 24
ShardCount: 1
StreamEncryption:
EncryptionType: KMS
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region}
EventStream2:
Type: AWS::Kinesis::Stream
Properties:
Name: EventStream
RetentionPeriodHours: 24
ShardCount: 1
StreamEncryption:
KeyId: !Ref myKey
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region}
EventStream3:
Type: AWS::Kinesis::Stream
Properties:
Name: EventStream
RetentionPeriodHours: 24
ShardCount: 1
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region}
Positive test num. 2 - json file
{
"Resources": {
"EventStream1": {
"Type": "AWS::Kinesis::Stream",
"Properties": {
"Name": "EventStream",
"RetentionPeriodHours": 24,
"ShardCount": 1,
"StreamEncryption": {
"EncryptionType": "KMS"
},
"Tags": [
{
"Key": "Name",
"Value": "${EnvironmentName}-EventStream-${AWS::Region}"
}
]
}
},
"EventStream2": {
"Type": "AWS::Kinesis::Stream",
"Properties": {
"Name": "EventStream",
"RetentionPeriodHours": 24,
"ShardCount": 1,
"StreamEncryption": {
"KeyId": "myKey"
},
"Tags": [
{
"Key": "Name",
"Value": "${EnvironmentName}-EventStream-${AWS::Region}"
}
]
}
},
"EventStream3": {
"Type": "AWS::Kinesis::Stream",
"Properties": {
"Name": "EventStream",
"RetentionPeriodHours": 24,
"ShardCount": 1,
"Tags": [
{
"Key": "Name",
"Value": "${EnvironmentName}-EventStream-${AWS::Region}"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
EventStream:
Type: AWS::Kinesis::Stream
Properties:
Name: EventStream
RetentionPeriodHours: 24
ShardCount: 1
StreamEncryption:
EncryptionType: KMS
KeyId: !Ref myKey
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region}
Negative test num. 2 - json file
{
"Resources": {
"EventStream": {
"Type": "AWS::Kinesis::Stream",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "${EnvironmentName}-EventStream-${AWS::Region}"
}
],
"Name": "EventStream",
"RetentionPeriodHours": 24,
"ShardCount": 1,
"StreamEncryption": {
"EncryptionType": "KMS",
"KeyId": "myKey"
}
}
}
}
}