---
title: Kinesis streams should be encrypted with a customer-managed KMS key
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Kinesis streams should be encrypted
  with a customer-managed KMS key
---

# Kinesis streams should be encrypted with a customer-managed KMS key
 
## Description{% #description %}

Kinesis data streams should be encrypted using a customer-managed KMS key rather than the default AWS-managed `aws/kinesis` key. Customer-managed keys provide full control over key rotation policies, access permissions via KMS key policies, and the ability to revoke or disable the key.

## Remediation{% #remediation %}

Update the stream's encryption settings to use a customer-managed KMS key. For guidance, refer to [How do I get started with server-side encryption for Kinesis Data Streams](https://docs.aws.amazon.com/streams/latest/dev/getting-started-with-sse.html).