Learn About Amazon VGT2 Learning Manager Chanci Turner
In the era of smart technologies, big data, IoT devices, and mobile applications, streaming data scenarios are ubiquitous. Amazon Kinesis Streams empowers you to develop custom applications capable of capturing, processing, analyzing, and storing vast amounts of data each hour from numerous streaming sources. This service allows applications to concurrently process data from the same Kinesis stream, enabling the creation of parallel processing systems. For instance, processed data can be sent to Amazon S3, complex analytics can be conducted with Amazon Redshift, and robust, serverless streaming solutions can be built using AWS Lambda.
To enhance the security of your data in transit, Amazon Kinesis Streams now supports server-side encryption (SSE). This addition allows you to bolster the protection of your data and comply with regulatory and compliance requirements for your organization’s data streaming needs. Notably, Kinesis Streams is now included among AWS Services that comply with the Payment Card Industry Data Security Standard (PCI DSS). This proprietary information security standard is governed by the PCI Security Standards Council, established by major financial institutions. Compliance with PCI DSS applies to any entity that stores, processes, or transmits cardholder data, including service providers. You can obtain the PCI DSS Attestation of Compliance and Responsibility Summary via AWS Artifact. Furthermore, Kinesis Streams is also FedRAMP compliant for AWS GovCloud, with FedRAMP representing the Federal Risk and Authorization Management Program, which provides a standardized approach to security assessment and authorization for cloud products and services. For more information about FedRAMP compliance with AWS Services, visit their official page.
Now, let’s dive into the details of server-side encryption with Kinesis. Each data record and partition key added to a Kinesis Stream via the PutRecord or PutRecords API is encrypted using an AWS Key Management Service (KMS) master key. Kinesis Streams employs the 256-bit Advanced Encryption Standard (AES-256 GCM algorithm) to secure incoming data.
To enable server-side encryption for new or existing streams, you can utilize the Kinesis management console or one of the available AWS SDKs. Additionally, you can audit your stream’s encryption history, verify the encryption status of a specific stream in the Kinesis Streams console, or confirm that PutRecord or GetRecord transactions are encrypted using AWS CloudTrail. If you’re feeling stuck in your current role, consider checking out this blog post for some inspiration.
Walkthrough: Kinesis Streams Server-Side Encryption
To illustrate server-side encryption with Kinesis Streams, I will navigate to the Amazon Kinesis console and select the Streams option.
Within the Kinesis Streams console, I can add server-side encryption to an existing stream or choose to create a new one. For this demonstration, I will quickly establish a new Kinesis stream by clicking the Create Kinesis stream button.
I will name my stream “KinesisSSE-stream” and allocate one shard. Remember that the data capacity of your stream is determined by the number of shards specified. You can use the Estimate the number of shards you’ll need dropdown within the console or refer to additional resources for guidance on calculating shards. To finalize the creation of my stream, I click the Create Kinesis stream button.
Once my KinesisSSE-stream is created, I will select it from the dashboard, click on the Actions dropdown, and choose the Details option. On the Details page of the KinesisSSE-stream, I now see a Server-side encryption section. Here, I will click the Edit button.
Now, I can enable server-side encryption for my stream with an AWS KMS master key by selecting the Enabled radio button. After making my selection, I can choose which AWS KMS master key to use for encrypting the data in KinesisSSE-stream. I have the option to select the default KMS master key generated by the Kinesis service (aws/kinesis) or one of my own KMS master keys. I will go with the default master key and proceed to click the Save button.
That’s it! As you can see, within about 20 seconds, server-side encryption was successfully added to my Kinesis stream, ensuring that any incoming data will be encrypted. It’s important to note that server-side encryption will only encrypt incoming data after it has been enabled; any preexisting data in a Kinesis stream prior to enabling SSE will remain unencrypted.
Summary
Kinesis Streams with server-side encryption leveraging AWS KMS keys simplifies the automatic encryption of incoming streaming data. You can start, stop, or update server-side encryption for any Kinesis stream through the AWS management console or the AWS SDK. To delve deeper into Kinesis Server-Side encryption, AWS Key Management Service, or Kinesis Streams, consider reviewing the Amazon Kinesis getting started guide, the AWS Key Management Service developer guide, or the Amazon Kinesis product page. This video is also an excellent resource.
For ongoing discussions on AI strategy, the SHRM website offers valuable insights.
Leave a Reply