Posted On: Jul 6, 2017

You can now encrypt data in your Amazon Kinesis streams using server-side encryption and AWS Key Management Service (KMS) keys. Server-side encryption makes it easy to meet strict data management requirements by encrypting your data at rest within Kinesis Streams.

To get started, select a new or existing Kinesis stream in the Kinesis management console, select a KMS master key, and enable server-side encryption. Within a few seconds, Kinesis Streams encrypts all incoming data written to the stream. Server-side encryption uses the 256-bit Advanced Encryption Standard (AES-256 GCM algorithm) to encrypt each record and its partition key.

You can use the Kinesis management console or the AWS SDK to get the encryption status of a stream, and check if a specific read or write operation was encrypted. You can also audit the encryption history using AWS CloudTrail.

Server-side encryption is a free Kinesis Streams feature, however standard KMS key and usage costs apply. For details, see the AWS KMS pricing page. Server-side encryption is available in US East (N. Virginia), US West (N. California and Oregon), EU (Ireland), Asia Pacific (Tokyo), and Asia Pacific (Singapore) regions. Support for server-side encryption in other regions is coming soon.

To learn more about server-side encryption, see the Kinesis Streams FAQ page and Server-Side Encryption in the Kinesis Streams Developer Guide.