---
title: Kinesis not encrypted with KMS
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Kinesis not encrypted with KMS
---

# Kinesis not encrypted with KMS

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `f2ea6481-1d31-4d40-946a-520dc6321dd7`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/kinesis_stream_module.html)

### Description{% #description %}

Kinesis Data Streams must have server-side encryption enabled to protect stream data and metadata at rest and reduce the risk of unauthorized access or data exposure.

For Ansible resources using the `community.aws.kinesis_stream` or `kinesis_stream` module, the `encryption_state` property must be set to `"enabled"` and the `encryption_type` property must be defined and not set to `"NONE"`. If `encryption_type` is `"KMS"`, a valid `key_id` (KMS key ARN or ID) must also be provided.

Resources missing these properties or with `encryption_state != "enabled"`, `encryption_type == "NONE"`, or `encryption_type == "KMS"` without `key_id` are flagged.

Secure Ansible configuration example:

```yaml
- name: Create Kinesis stream with SSE-KMS
  community.aws.kinesis_stream:
    name: my-stream
    shard_count: 1
    encryption_state: enabled
    encryption_type: KMS
    key_id: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-ef1234567890
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Encrypt Kinesis Stream test-stream. v6
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Encrypt Kinesis Stream test-stream.
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v2
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: disabled
    encryption_type: KMS
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v3
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v4
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: NONE
    key_id: alias/aws/kinesis
    wait: yes
    wait_timeout: 600
  register: test_stream
- name: Encrypt Kinesis Stream test-stream. v5
  community.aws.kinesis_stream:
    name: test-stream
    state: present
    shards: 1
    encryption_state: enabled
    encryption_type: KMS
    wait: yes
    wait_timeout: 600
  register: test_stream
```