AWS Kinesis

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
Amazon Kinesis Data Streams provides a number of security features to consider as you design and implement your security architecture. Here are some key considerations.
Implement least privilege access
When granting permissions, you decide who is getting what permissions to which Kinesis Data Streams resources. You enable specific actions that you want to allow on those resources. Therefore you should grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
Use IAM roles
Producer and client applications must have valid credentials to access Kinesis data streams. You should not store AWS credentials directly in a client application or in an Amazon S3 bucket. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised.
Instead, you should use an IAM role to manage temporary credentials for your producer and client applications to access Kinesis data streams. When you use a role, you don't have to use long-term credentials (such as a user name and password or access keys) to access other resources
Implement Server-Side Encryption in Dependent Resources
Data at rest and data in transit can be encrypted in Kinesis Data Streams. For more information, see Data Protection in Amazon Kinesis Data Streams.
Use CloudTrail to Monitor API Calls
Kinesis Data Streams is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Kinesis Data Streams.
Using the information collected by CloudTrail, you can determine the request that was made to Kinesis Data Streams, the IP address from which the request was made, who made the request, when it was made, and additional details
Cache Management
Design Guidance:
Changing the Data Retention Period - Amazon Kinesis Data Streams
Amazon Kinesis Data Streams
AWS::Kinesis::Stream
Retention Period Hours
​Cloud Formation​
​Terraform​
​
Transparent Data Encryption
Design Guidance:
How Do I Get Started with Server-Side Encryption? - Amazon Kinesis Data Streams
Amazon Kinesis Data Streams
AWS::Kinesis::Stream
Stream Encryption-Encryption Type
​Cloud Formation​
​Terraform​
​
Protect Cryptographic Keys
Design Guidance:
Creating and Using User-Generated KMS Master Keys - Amazon Kinesis Data Streams
Amazon Kinesis Data Streams
AWS::Kinesis::Stream
Stream Encryption-Key Id
​Cloud Formation​
​Terraform​
​
Asset Inventory
Design Guidance:
Tagging Your Streams in Amazon Kinesis Data Streams - Amazon Kinesis Data Streams
Amazon Kinesis Data Streams
AWS::Kinesis::Stream
Tags
​Cloud Formation​
​Terraform​
​
AWS IAM
AWS KMS
Last modified 6mo ago