How Do I Get Started with Server-Side Encryption? - Amazon Kinesis Data Streams

How Do I Get Started with Server-Side Encryption?

The easiest way to get started with server-side encryption is to use the AWS Management Console and the Amazon Kinesis KMS Service Key, aws/kinesis.

The following procedure demonstrates how to enable server-side encryption for a Kinesis stream.

To enable server-side encryption for a Kinesis stream
  1. Sign in to the AWS Management Console and open the Amazon Kinesis Data Streams console.

  2. Create or select a Kinesis stream in the AWS Management Console.

  3. Choose the details tab.

  4. In Server-side encryption, choose edit.

  5. Unless you want to use a user-generated KMS master key, ensure the (Default) aws/kinesis KMS master key is selected. This is the KMS master key generated by the Kinesis service. Choose Enabled, and then choose Save.

    Note

    The default Kinesis service master key is free, however, the API calls made by Kinesis to the AWS KMS service are subject to KMS usage costs.

  6. The stream transitions through a pending state. After the stream returns to an active state with encryption enabled, all incoming data written to the stream is encrypted using the KMS master key you selected.

  7. To disable server-side encryption, choose Disabled in Server-side encryption in the AWS Management Console, and then choose Save.