Data Encryption at Rest in AWS Kinesis

Answer - B.

From the options given above, the only logical option is to ensure the data is encrypted by the Producer before it reaches the Kinesis Stream endpoint.

Option A is incorrect since here the data would remain unencrypted in the stream.

Option C is incorrect since this can be used for encryption.

Option D is incorrect since this is used to securely access the Kinesis stream from an EC2 Instance in a private subnet.

For more information on using AWS KMS to encrypt data on the client side, please refer to the below URL.

To ensure that data is encrypted at rest in AWS Kinesis, the appropriate option is to use server-side encryption. This means that data is encrypted before being stored in AWS Kinesis, so it cannot be read or accessed without proper authorization.

AWS Kinesis provides two options for server-side encryption:

1. Server-Side Encryption with AWS KMS Managed Keys (SSE-KMS): This option uses the AWS Key Management Service (KMS) to manage the encryption keys. The encryption keys are stored and managed securely by AWS KMS, and access to the keys is controlled by AWS Identity and Access Management (IAM) policies. With SSE-KMS, customers can choose to use AWS KMS customer master keys (CMKs) or AWS-managed CMKs.

2. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3): This option uses Amazon S3 to manage the encryption keys. With SSE-S3, Amazon S3 automatically encrypts objects before they are stored in AWS Kinesis. Encryption keys are stored and managed by Amazon S3, and access to the keys is controlled by IAM policies.

Both options provide strong encryption and help to protect the confidentiality and integrity of data stored in AWS Kinesis. To enable server-side encryption in AWS Kinesis, you need to specify the appropriate encryption option when creating a Kinesis stream or updating an existing stream.