Amazon Kinesis Data Streams
Developer Guide

How Do I Get Started with Server-Side Encryption?

The easiest way to get started with server-side encryption is to use the AWS Management Console and the Amazon Kinesis KMS Service Key, aws/kinesis.

The following procedure demonstrates how to enable server-side encryption for a Kinesis stream.

To enable server-side encryption for a Kinesis stream

  1. Sign in to the AWS Management Console and open the Amazon Kinesis Data Streams console.

  2. Create or select a Kinesis stream in the AWS Management Console.

  3. Choose the details tab.

  4. In Server-side encryption, choose edit.

                        Enabling server-side encryption for a Kinesis stream
  5. Unless you want to use a user-generated KMS master key, ensure the (Default) aws/kinesis KMS master key is selected. This is the KMS master key generated by the Kinesis service. Choose Enabled, and then choose Save.


    The default Kinesis service master key is free, however, the API calls made by Kinesis to the AWS KMS service are subject to KMS usage costs.

    Enabling server-side encryption
  6. The stream transitions through a “pending” state. Once the stream returns to an “active” state with encryption enabled, all incoming data written to the stream is encrypted using the KMS master key you selected.

  7. To disable server-side encryption, choose Disabled in Server-side encryption in the AWS Management Console, and then choose Save.