Kinesis SSE Not Configured

  • Query id: 7f65be75-90ab-4036-8c2a-410aef7bb650
  • Query name: Kinesis SSE Not Configured
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

AWS Kinesis Stream should have SSE (Server Side Encryption) defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  EventStream1:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: EventStream
      RetentionPeriodHours: 24
      ShardCount: 1
      StreamEncryption:
            EncryptionType: KMS
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region}
  EventStream2:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: EventStream
      RetentionPeriodHours: 24
      ShardCount: 1
      StreamEncryption:
            KeyId: !Ref myKey
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region}
  EventStream3:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: EventStream
      RetentionPeriodHours: 24
      ShardCount: 1
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region}
Positive test num. 2 - json file
{
  "Resources": {
    "EventStream1": {
      "Type": "AWS::Kinesis::Stream",
      "Properties": {
        "Name": "EventStream",
        "RetentionPeriodHours": 24,
        "ShardCount": 1,
        "StreamEncryption": {
          "EncryptionType": "KMS"
        },
        "Tags": [
          {
            "Key": "Name",
            "Value": "${EnvironmentName}-EventStream-${AWS::Region}"
          }
        ]
      }
    },
    "EventStream2": {
      "Type": "AWS::Kinesis::Stream",
      "Properties": {
        "Name": "EventStream",
        "RetentionPeriodHours": 24,
        "ShardCount": 1,
        "StreamEncryption": {
          "KeyId": "myKey"
        },
        "Tags": [
          {
            "Key": "Name",
            "Value": "${EnvironmentName}-EventStream-${AWS::Region}"
          }
        ]
      }
    },
    "EventStream3": {
      "Type": "AWS::Kinesis::Stream",
      "Properties": {
        "Name": "EventStream",
        "RetentionPeriodHours": 24,
        "ShardCount": 1,
        "Tags": [
          {
            "Key": "Name",
            "Value": "${EnvironmentName}-EventStream-${AWS::Region}"
          }
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  EventStream:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: EventStream
      RetentionPeriodHours: 24
      ShardCount: 1
      StreamEncryption:
            EncryptionType: KMS
            KeyId: !Ref myKey
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region}
Negative test num. 2 - json file
{
  "Resources": {
    "EventStream": {
      "Type": "AWS::Kinesis::Stream",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "${EnvironmentName}-EventStream-${AWS::Region}"
          }
        ],
        "Name": "EventStream",
        "RetentionPeriodHours": 24,
        "ShardCount": 1,
        "StreamEncryption": {
          "EncryptionType": "KMS",
          "KeyId": "myKey"
        }
      }
    }
  }
}