Implementing Encryption for Kinesis Streams in AWS

Encrypting Data at Rest for Kinesis Streams in AWS

Question

A company is planning on making use of Kinesis streams for analysing user trend data for their ecommerce application.

The IT Security department has a requirement all data needs to be encrypted at rest.

At the same time, the company does not want to manage the internal cryptography or the keys which is required for encryption of data.

Which of the following would be the ideal implementation step for such a sort of requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

The AWS Documentation mentions the following.

Server-side encryption is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it's at rest by using an AWS KMS customer master key (CMK) you specify.

Data is encrypted before it's written to the Kinesis stream storage layer, and decrypted after it's retrieved from storage.

As a result, your data is encrypted at rest within the Kinesis Data Streams service.

This allows you to meet strict regulatory requirements and enhance the security of your data.

With server-side encryption, your Kinesis stream producers and consumers don't need to manage master keys or cryptographic operations.

Your data is automatically encrypted as it enters and leaves the Kinesis Data Streams service, so your data at rest is encrypted.

AWS KMS provides all the master keys that are used by the server-side encryption feature.

AWS KMS makes it easy to use a CMK for Kinesis that is managed by AWS, a user-specified AWS KMS CMK, or a master key imported into the AWS KMS service.

Options C and D are incorrect since the company does not want to manage the encryption process.

Option A is incorrect since you need to use the KMS service for encryption of data.

For more information on server-side encryption with Kinesis, please refer to the below URL.

https://docs.aws.amazon.com/streams/latest/dev/what-is-sse.html

The ideal implementation step for encrypting data at rest in a Kinesis stream while avoiding the management of internal cryptography or keys is to enable server-side encryption for Kinesis streams, which is option B.

Amazon Kinesis is a managed, scalable platform for collecting, processing, and analyzing streaming data in real-time. Kinesis Streams is one of the services provided by Amazon Kinesis, which allows users to capture, process, and store data streams in real-time. Data can be continuously captured and delivered to multiple destinations, such as Amazon S3, Amazon Redshift, or AWS Lambda.

To protect sensitive data in Kinesis streams, server-side encryption (SSE) can be enabled. SSE encrypts the data as it is written to the stream and decrypts it when it is read. SSE ensures that the data is protected at rest and in transit. SSE can be enabled with a single click in the Kinesis console, and AWS manages the encryption keys.

Option A, using IAM policies for the encryption of data, is incorrect because IAM policies are used for access control, not encryption.

Option C, encrypting the data before sending it to Kinesis streams, is incorrect because it would require managing the encryption keys and the entire cryptographic process, which is something the company wants to avoid.

Option D, using a CloudHSM service for managing the encryption, is incorrect because it is an expensive and complex solution, which is unnecessary for this requirement.