- Newest
- Most votes
- Most comments
Hi Alper,
AWS Kinesis documentation says:
Server-side encryption is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it's at rest by using an AWS KMS customer master key (CMK) you specify. Data is encrypted before it's written to the Kinesis stream storage layer, and decrypted after it’s retrieved from storage. As a result, your data is encrypted at rest within the Kinesis Data Streams service...
Based on my experience, when you change the encryption settings on an AWS Kinesis stream, the new encryption configuration only applies to records that are ingested after the change. AWS Kinesis does not retroactively encrypt records that were already in the stream before the change.
A) Once you update the KMS key, all subsequent records will be encrypted using the new KMS configuration before they are stored in Kinesis.
B) Only records that are added to the stream after the KMS key update will be encrypted with the new settings.
C) If you delete a KMS key (especially if you scheduled and confirmed its deletion), any data encrypted with that key will become unrecoverable.
For more information about the Kinesis API and its error handling, you can visit this link.
Hello Alper,
As per my research the new encryption configuration gets applied to records that come after the settings is applied.
Relevant content
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 7 months ago