Data protection in Kinesis Video Streams - Amazon Kinesis Video Streams
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data protection in Kinesis Video Streams

You can use server-side encryption (SSE) using Amazon Key Management Service (Amazon KMS) keys to meet strict data management requirements by encrypting your data at rest in Amazon Kinesis Video Streams.

What is server-side encryption for Kinesis Video Streams?

Server-side encryption is a feature in Kinesis Video Streams that automatically encrypts data before it's stored at rest using an Amazon KMS key that you specify. Data is encrypted before it's written to the Kinesis Video Streams stream storage layer, and it's decrypted after it's retrieved from storage. As a result, your data is always encrypted at rest within the Kinesis Video Streams service.

With server-side encryption, your Kinesis video stream producers and consumers don't need to manage KMS keys or cryptographic operations. If data retention is enabled, your data is automatically encrypted as it enters and leaves Kinesis Video Streams, so your data at rest is encrypted. Amazon KMS provides all the keys that are used by the server-side encryption feature. Amazon KMS streamlines the use of a KMS key for Kinesis Video Streams that's managed by Amazon, a user-specified Amazon KMS key imported into the Amazon KMS service.

Costs, Regions, and performance considerations

When you apply server-side encryption, you are subject to Amazon KMS API usage and key costs. Unlike custom Amazon KMS keys, the (Default) aws/kinesis-video KMS key is offered with no charge. However, you still must pay for the API usage costs that Kinesis Video Streams incurs on your behalf.

API usage costs apply for every KMS key, including custom ones. The Amazon KMS costs scale with the number of user credentials that you use on your data producers and consumers because each user credential requires a unique API call to Amazon KMS.

The following describes the costs by resource:

  • The KMS key for Kinesis Video Streams that's managed by Amazon (alias = aws/kinesis-video) has no charge.

  • User-generated KMS keys are subject to Amazon KMS key costs. For more information, see Amazon Key Management Service Pricing.

Amazon KMS API usage

API requests to generate new data encryption keys or to retrieve existing encryption keys increase as traffic increases, and are subject to Amazon KMS usage costs. For more information, see Amazon Key Management Service Pricing: Usage.

Kinesis Video Streams generates key requests even when retention is set to 0 (no retention).

Availability of server-side encryption by Region

Server-side encryption of Kinesis video streams is available in all the Amazon Web Services Regions where Kinesis Video Streams is available.

How do I get started with server-side encryption?

Server-side encryption is always enabled on Kinesis Video Streams. If a user-provided key isn't specified when the stream is created, the Amazon managed key (provided by Kinesis Video Streams) is used.

A user-provided KMS key must be assigned to a Kinesis video stream when it's created. You can't assign a different key to a stream using the UpdateStream API later on.

You can assign a user-provided KMS key to a Kinesis video stream in two ways:

  • When creating a Kinesis video stream in the Amazon Web Services Management Console, specify the KMS key in the Encryption tab on the Create a new video stream page.

  • When creating a Kinesis video stream using the CreateStream API, specify the key ID in the KmsKeyId parameter.

Creating and using a customer managed key

This section describes how to create and use your own KMS keys instead of using the key administered by Amazon Kinesis Video Streams.

Creating a customer managed key

For information about how to create your own keys, see Creating Keys in the Amazon Key Management Service Developer Guide. After you create keys for your account, the Kinesis Video Streams service returns these keys in the Customer managed keys list.

Using a customer managed key

After the correct permissions are applied to your consumers, producers, and administrators, you can use custom KMS keys in your own Amazon Web Services account or another Amazon Web Services account. All KMS keys in your account appear in the Customer managed keys list on the console.

To use custom KMS keys that are located in another account, you must have permissions to use those keys. You must also create the stream using the CreateStream API. You can't use KMS keys from different accounts in streams created in the console.


The KMS key isn't accessed until the PutMedia or GetMedia operation is carried out. This has the following results:

  • If the key that you specify doesn't exist, the CreateStream operation succeeds, but PutMedia and GetMedia operations on the stream fail.

  • If you use the provided key (aws/kinesis-video), the key isn't present in your account until the first PutMedia or GetMedia operation is performed.

Permissions to use a customer managed key

Before you can use server-side encryption with a customer managed key, you must configure KMS key policies to allow encryption of streams and encryption and decryption of stream records. For examples and more information about Amazon KMS permissions, see Amazon KMS API Permissions: Actions and Resources Reference.


The use of the default service key for encryption doesn't require application of custom IAM permissions.

Before you use a customer managed key, verify that your Kinesis video stream producers and consumers (IAM principals) are users in the Amazon KMS default key policy. Otherwise, writes and reads from a stream will fail, which could ultimately result in data loss, delayed processing, or hung applications. You can manage permissions for KMS keys using IAM policies. For more information, see Using IAM Policies with Amazon KMS.

Example producer permissions

Your Kinesis video stream producers must have the kms:GenerateDataKey permission:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "kinesis-video:PutMedia", ], "Resource": "arn:aws:kinesis-video:*:123456789012:MyStream" } ] }

Example consumer Permissions

Your Kinesis video stream consumers must have the kms:Decrypt permission:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "kinesis-video:GetMedia", ], "Resource": "arn:aws:kinesis-video:*:123456789012:MyStream" } ] }