enable-in-transit-encryption
Explanation
Kinesis streams should be encrypted to ensure sensitive data is kept private. Additionally, non-default KMS keys should be used so granularity of access control can be ensured.
Possible Impact
Intercepted data can be read in transit
Suggested Resolution
Enable in transit encryption
Insecure Example
The following example will fail the aws-kinesis-enable-in-transit-encryption check.
resource "aws_kinesis_stream" "bad_example" {
encryption_type = "NONE"
}
Secure Example
The following example will pass the aws-kinesis-enable-in-transit-encryption check.
resource "aws_kinesis_stream" "good_example" {
encryption_type = "KMS"
kms_key_id = "my/special/key"
}