Question

You are planning to use AWS Kinesis streams for an application being developed for a company. The company policy mandates that all data is encrypted at rest.

How can you accomplish this in the easiest way possible for Kinesis streams?

A. Use the SDK for Kinesis to encrypt the data before being stored at rest.

B. Enable server-side encryption for Kinesis streams.

C. Enable client-side encryption for Kinesis streams.

D. Use the AWS CLI to encrypt the data.

Answer 1

Answer - B.

The easiest way is to use the in-built server-side encryption that is available with Kinesis streams.

The AWS Documentation mentions the following.

Server-side encryption is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it's at rest by using an AWS KMS customer master key (CMK) you specify.

Data is encrypted before it's written to the Kinesis stream storage layer and decrypted after it's retrieved from storage.

As a result, your data is encrypted at rest within the Kinesis Data Streams service.

This allows you to meet strict regulatory requirements and enhance the security of your data.

Options A and C are invalid since this would involve too much effort for encrypting and decrypting to the streams.

Option D is invalid since this is the same as encrypting the data before it reaches the stream.

For more information on server-side encryption with streams, please refer to the below URL-

https://docs.aws.amazon.com/streams/latest/dev/what-is-sse.html

The easiest way to ensure that data in Kinesis streams is encrypted at rest is to enable server-side encryption for the Kinesis stream. Server-side encryption is a feature provided by AWS that automatically encrypts data at rest. When server-side encryption is enabled for a Kinesis stream, the data is encrypted before being written to disk, and decrypted when it is read back.

To enable server-side encryption for Kinesis streams, you need to use the AWS Management Console or the AWS CLI. When creating a Kinesis stream, you can choose to enable server-side encryption and select the AWS KMS (Key Management Service) key to use for encryption.

Once server-side encryption is enabled for a Kinesis stream, all data written to the stream will be automatically encrypted using the selected KMS key. You do not need to modify your application code or use the SDK to encrypt the data before it is stored at rest.

Client-side encryption is another option for encrypting data in Kinesis streams, but it requires more effort as it involves encrypting the data before it is sent to the Kinesis stream and decrypting it after it is read back. This approach can be useful in scenarios where you need to maintain full control over the encryption process, but it is not necessary if you just need to ensure that data is encrypted at rest.

In summary, enabling server-side encryption for Kinesis streams is the easiest and most effective way to ensure that data is encrypted at rest. This can be done using the AWS Management Console or the AWS CLI, and does not require any changes to your application code.