For new projects, we recommend that you use the new Managed Service for Apache Flink Studio over Kinesis Data Analytics for SQL Applications. Managed Service for Apache Flink Studio combines ease of use with advanced analytical capabilities, enabling you to build sophisticated stream processing applications in minutes.
Data Protection in Amazon Kinesis Data Analytics for SQL Applications
You can protect your data using tools that are provided by AWS. Kinesis Data Analytics can work with services that support encrypting data, including Kinesis Data Streams, Firehose, and Amazon S3.
Data Encryption in Kinesis Data Analytics
Encryption at Rest
Note the following about encrypting data at rest with Kinesis Data Analytics:
You can encrypt data on the incoming Kinesis data stream using StartStreamEncryption. For more information, see What Is Server-Side Encryption for Kinesis Data Streams?.
Output data can be encrypted at rest using Firehose to store data in an encrypted Amazon S3 bucket. You can specify the encryption key that your Amazon S3 bucket uses. For more information, see Protecting Data Using Server-Side Encryption with KMS–Managed Keys (SSE-KMS).
Your application's code is encrypted at rest.
Your application's reference data is encrypted at rest.
Encryption In Transit
Kinesis Data Analytics encrypts all data in transit. Encryption in transit is enabled for all Kinesis Data Analytics applications and cannot be disabled.
Kinesis Data Analytics encrypts data in transit in the following scenarios:
Data in transit from Kinesis Data Streams to Kinesis Data Analytics.
Data in transit between internal components within Kinesis Data Analytics.
Data in transit between Kinesis Data Analytics and Firehose.
Key Management
Data encryption in Kinesis Data Analytics uses service-managed keys. Customer-managed keys are not supported.