Data Lake Design: Ensuring Secure CMK Usage for AWS Kinesis

Best Practices for CMK Usage with AWS Kinesis

Question

You are designing a data lake for the analysis of financial data.

The system consists of a data ingestion component utilizing AWS Kinesis and a storage component utilizing AWS S3

The data in Kinesis is encrypted by a CMK managed using AWS KMS.

What is the best way to ensure that the CMK is only used by the AWS Kinesis service?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: C.

Option A is incorrect because Interface VPC Endpoints are used to integrate S3 with VPC.Option B is incorrect because S3 ACL is used to restrict access to individual objects.

Log Delivery Group is used for server access logging.

Option C is CORRECT because the condition key limits the use of an AWS KMS customer master key (CMK) to requests from specified AWS services.

Option D is incorrect because there is no encrypt-SSE-C action on S3.

Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service

Option A is incorrect because it only restricts access to the S3 bucket and does not address the issue of ensuring that the CMK is only used by the Kinesis service.

Option B is incorrect because it only grants WRITE permission to the Log Delivery group and does not address the issue of ensuring that the CMK is only used by the Kinesis service.

Option D is incorrect because it uses server-side encryption with customer-provided keys (SSE-C) instead of KMS encryption, which is not the recommended approach for encrypting data at rest in S3.

The correct answer is Option C because it uses the kms:ViaService condition in the KMS key policy to restrict usage of the CMK to the Kinesis service only. The kms:ViaService condition specifies the AWS service that must be used to access the CMK, in this case, Kinesis. The policy should be updated with a statement similar to the following:

json
{ "Sid": "Restrict access to Kinesis service only", "Effect": "Allow", "Principal": { "Service": "kinesis.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "kinesis.<region>.amazonaws.com" } } }

This policy statement allows the Kinesis service to use the CMK to encrypt and decrypt data, but only if the request originates from the Kinesis service. It also allows other AWS services to describe the key, but not use it.

Therefore, Option C is the correct answer.