For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-kinesis-not-encrypted-with-kms.md. A documentation index is available at /llms.txt.

Kinesis not encrypted with KMS

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-kinesis-not-encrypted-with-kms

Provider: AWS

Platform: Ansible

Severity: High

Category: Encryption

Learn More

Description

Kinesis Data Streams must have server-side encryption enabled to protect stream data and metadata at rest and reduce the risk of unauthorized access or data exposure.

For Ansible resources using the community.aws.kinesis_stream or kinesis_stream module, the encryption_state property must be set to "enabled" and the encryption_type property must be defined and not set to "NONE". If encryption_type is "KMS", a valid key_id (KMS key ARN or ID) must also be provided.

Resources missing these properties or with encryption_state != "enabled", encryption_type == "NONE", or encryption_type == "KMS" without key_id are flagged.

Secure Ansible configuration example:

- name: Create Kinesis stream with SSE-KMS
  community.aws.kinesis_stream:
    name: my-stream
    shard_count: 1
    encryption_state: enabled
    encryption_type: KMS
    key_id: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-ef1234567890

Compliant Code Examples

- name: Encrypt Kinesis Stream test-stream. v6
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600

Non-Compliant Code Examples

- name: Encrypt Kinesis Stream test-stream.
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v2
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: disabled
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v3
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v4
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: NONE
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v5
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: KMS
    wait: yes
    wait_timeout: 600
  register: test_stream