End-to-End Encryption for AWS Kinesis Stream | HikeHills.com

Achieving End-to-End Encryption for AWS Kinesis Stream

Question

HikeHills.com (HH) is an online specialty retailer that sells clothing and outdoor refreshment gear for trekking, go camping, boulevard biking, mountain biking, rock hiking, ice mountaineering, skiing, avalanche protection, snowboarding, fly fishing, kayaking, rafting, road and trace running, and many more. HH runs their entire online infrastructure on multiple java based web applications and other web framework applications running on AWS.

The HH is capturing click stream data and use custom-build recommendation engine to recommend products which eventually improve sales, understand customer preferences and already using AWS Kinesis Streams (KDS) to collect events and transaction logs and process the stream.

Multiple departments from HH use different streams to address real-time integration and induce analytics into their applications and uses Kinesis as the backbone of real-time data integration across the enterprise. HH want to enable end to end encryption for the Kinesis Stream.

How can this be achieved? Select 4 options.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F.

Answer: A, B, E, F.

Option A is correct - Server-side encryption can be enabled through KMS which provides the master keys.

https://docs.aws.amazon.com/streams/latest/dev/what-is-sse.html

Option B is correct -Server side encryption can use a CMK for Kinesis that is managed by AWS.

https://docs.aws.amazon.com/streams/latest/dev/creating-using-sse-master-keys.html

Option C is incorrect - Client side encryption is not enabled for kinesis.

https://docs.aws.amazon.com/streams/latest/dev/what-is-sse.html

Option D is incorrect - Client side encryption is not enabled for kinesis.

https://docs.aws.amazon.com/streams/latest/dev/what-is-sse.html

Option E is correct - Server side encryption can use a user-specified CMK.

https://docs.aws.amazon.com/streams/latest/dev/creating-using-sse-master-keys.html

Option F is correct - Server side encryption can use a master key imported into the AWS KMS service.

https://docs.aws.amazon.com/streams/latest/dev/creating-using-sse-master-keys.html

HH can enable end-to-end encryption for Kinesis Streams in multiple ways. Here are the four options that allow HH to achieve this:

A. Server-side encryption can be enabled through KMS which provides the master keys:

HH can enable server-side encryption of their Kinesis Streams by using AWS Key Management Service (KMS) master keys. KMS is a fully managed service that makes it easy for HH to create and control the encryption keys used to encrypt data. Kinesis Streams encrypts data with KMS-managed keys as soon as it's written to disk, which ensures that data is always encrypted while at rest.

B. Server-side encryption can use a CMK for Kinesis that is managed by AWS:

HH can also use a KMS Customer Master Key (CMK) that is managed by AWS to enable server-side encryption of their Kinesis Streams. AWS KMS can generate, store, and manage cryptographic keys that can be used to encrypt and decrypt data. HH can create a CMK in KMS or use an AWS-managed CMK to encrypt their data.

C. Client-side encryption can use a user-specified CMK:

HH can enable client-side encryption of their Kinesis Streams by using a user-specified Customer Master Key (CMK) to encrypt their data. In this approach, HH encrypts the data before it's sent to Kinesis Streams. Kinesis Streams stores the encrypted data, and HH decrypts it when it's retrieved.

D. Client-side encryption can use a master key imported into the AWS KMS service:

HH can import a master key into the AWS KMS service and use it for client-side encryption of their Kinesis Streams. AWS KMS supports importing keys that are created outside of the service, which allows HH to use keys that are compatible with other cryptographic systems.

E. Server-side encryption can use a user-specified CMK:

HH can enable server-side encryption of their Kinesis Streams by using a user-specified Customer Master Key (CMK) to encrypt their data. In this approach, Kinesis Streams encrypts the data as soon as it's written to disk using the user-specified CMK.

F. Server-side encryption can use a master key imported into the AWS KMS service:

HH can import a master key into the AWS KMS service and use it for server-side encryption of their Kinesis Streams. This option is similar to option B, but instead of using an AWS-managed CMK, HH uses a master key that they import into KMS.

In summary, HH can enable end-to-end encryption for their Kinesis Streams using a combination of server-side and client-side encryption, and by using AWS KMS to manage their cryptographic keys.