How Do I Get Started with Server-Side Encryption? - Amazon Kinesis Data Streams
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Do I Get Started with Server-Side Encryption?

The easiest way to get started with server-side encryption is to use the Amazon Web Services Management Console and the Amazon Kinesis KMS Service Key, aws/kinesis.

The following procedure demonstrates how to enable server-side encryption for a Kinesis stream.

To enable server-side encryption for a Kinesis stream

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Kinesis Data Streams console.

  2. Create or select a Kinesis stream in the Amazon Web Services Management Console.

  3. Choose the details tab.

  4. In Server-side encryption, choose edit.

  5. Unless you want to use a user-generated KMS master key, ensure the (Default) aws/kinesis KMS master key is selected. This is the KMS master key generated by the Kinesis service. Choose Enabled, and then choose Save.

    Note

    The default Kinesis service master key is free, however, the API calls made by Kinesis to the Amazon KMS service are subject to KMS usage costs.

  6. The stream transitions through a pending state. After the stream returns to an active state with encryption enabled, all incoming data written to the stream is encrypted using the KMS master key you selected.

  7. To disable server-side encryption, choose Disabled in Server-side encryption in the Amazon Web Services Management Console, and then choose Save.