chore(aws): enhance metadata for kinesis service (#9262)

Co-authored-by: Daniel Barranquero <[email protected]>

Author: puchy22

prowler/CHANGELOG.md

@@ -57,6 +57,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Raise ASFF output error for non-AWS providers [(#9225)](https://github.com/prowler-cloud/prowler/pull/9225)
 - Update AWS ECR service metadata to new format [(#8872)](https://github.com/prowler-cloud/prowler/pull/8872)
 - Update AWS ECS service metadata to new format [(#8888)](https://github.com/prowler-cloud/prowler/pull/8888)
+- Update AWS Kinesis service metadata to new format [(#9262)](https://github.com/prowler-cloud/prowler/pull/9262)
 - Update AWS DocumentDB service metadata to new format [(#8862)](https://github.com/prowler-cloud/prowler/pull/8862)
 
 ---

prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "kinesis_stream_data_retention_period",
-  "CheckTitle": "Kinesis streams should have an adequate data retention period.",
+  "CheckTitle": "Kinesis stream retains data for at least the required minimum hours",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
   ],
   "ServiceName": "kinesis",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:kinesis::account-id:stream/stream-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsKinesisStream",
-  "Description": "Ensure Kinesis streams have an adequate data retention period.",
-  "Risk": "An inadequate data retention period may result in data records being deleted before they can be processed or backed up, increasing the risk of data loss. This is especially critical for applications that rely on historical data availability for analysis, monitoring, and recovery in case of failures.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/kinesis-stream-backup-retention-check.html",
+  "Description": "**Kinesis Data Streams** retention window is evaluated to confirm records are kept for at least the configured minimum duration (default `168` hours).",
+  "Risk": "Insufficient retention causes records to expire before consumers read or reprocess them, undermining **availability** and analytics **integrity**. Backlogs or outages can create irreversible data gaps, hinder investigations and recovery, and enable denial-of-service-by-lag against event pipelines.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-3"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kinesis increase-stream-retention-period --stream-name <stream-name> --retention-period-hours <hours>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-3",
-      "Terraform": ""
+      "CLI": "aws kinesis increase-stream-retention-period --stream-name <example_resource_name> --retention-period-hours 168",
+      "NativeIaC": "```yaml\n# CloudFormation: set Kinesis stream retention to minimum required hours\nResources:\n  <example_resource_name>:\n    Type: AWS::Kinesis::Stream\n    Properties:\n      ShardCount: 1\n      RetentionPeriodHours: 168  # critical: sets retention to >= 168 hours to pass the check\n```",
+      "Other": "1. Sign in to the AWS Console and open Amazon Kinesis\n2. Go to Data streams and select <example_resource_name>\n3. Click Edit\n4. Set Retention period to 168 hours (or higher, per your policy)\n5. Click Save changes",
+      "Terraform": "```hcl\n# Kinesis stream with adequate retention period\nresource \"aws_kinesis_stream\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  shard_count      = 1\n  retention_period = 168  # critical: sets retention to >= 168 hours to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure an adequate data retention period for Kinesis streams to ensure data is available for the required timeframe. Set the retention period based on your application’s data retention requirements, and consider at least 168 hours (or customize as necessary).",
-      "Url": "https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html"
+      "Text": "Set the **retention period** to exceed worst-case consumer lag, replay needs, and compliance windows; use at least `168` hours by default (or customize as necessary) and raise as required. Enforce **change control** and least privilege on retention changes, monitor consumer lag, and maintain **secondary durability** (e.g., archival) for critical streams.",
+      "Url": "https://hub.prowler.com/check/kinesis_stream_data_retention_period"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "kinesis_stream_encrypted_at_rest",
-  "CheckTitle": "Kinesis streams should be encrypted at rest.",
+  "CheckTitle": "Kinesis stream is encrypted at rest with KMS",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "kinesis",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:kinesis::account-id:stream/stream-name",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsKinesisStream",
-  "Description": "Ensure Kinesis streams use server-side encryption with AWS KMS keys for data protection.",
-  "Risk": "If Kinesis streams are not encrypted at rest, sensitive data stored in the stream could be exposed to unauthorized access or breaches. This could lead to potential data theft or misuse of unencrypted data.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html",
+  "Description": "**Amazon Kinesis Data Streams** with **server-side encryption** use **AWS KMS** to protect records at rest. The evaluation determines whether a stream has `SSE-KMS` configured with a KMS key; streams lacking KMS-based at rest encryption are identified.",
+  "Risk": "Without **SSE-KMS**, records in shards may be exposed in plaintext if storage, backups, or analytics exports are accessed, undermining **confidentiality**. Absence of KMS controls also reduces **integrity** and oversight by removing key policies, rotation, and audit trails-enabling covert data exfiltration or insider misuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-1",
+    "https://docs.aws.amazon.com/streams/latest/dev/getting-started-with-sse.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Kinesis/server-side-encryption.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kinesis start-stream-encryption --stream-name <your-stream-name> --encryption-type KMS --key-id <your-kms-key-id>",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_22/#cloudformation",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-1",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_22/#terraform"
+      "CLI": "aws kinesis start-stream-encryption --stream-name <KINESIS_STREAM_NAME> --encryption-type KMS --key-id alias/aws/kinesis",
+      "NativeIaC": "```yaml\n# CloudFormation: enable KMS encryption on a Kinesis stream\nResources:\n  <example_resource_name>:\n    Type: AWS::Kinesis::Stream\n    Properties:\n      ShardCount: 1\n      StreamEncryption:\n        EncryptionType: KMS  # Critical: enables KMS encryption at rest\n        KeyId: alias/aws/kinesis  # Critical: uses AWS managed Kinesis KMS key\n```",
+      "Other": "1. Open the AWS Console and go to Amazon Kinesis > Data streams\n2. Select the stream\n3. On the Details tab, click Edit in Server-side encryption\n4. Select Enabled\n5. Choose the (Default) aws/kinesis KMS key\n6. Click Save",
+      "Terraform": "```hcl\n# Enable KMS encryption on a Kinesis stream\nresource \"aws_kinesis_stream\" \"<example_resource_name>\" {\n  name            = \"<example_resource_name>\"\n  shard_count     = 1\n  encryption_type = \"KMS\"            # Critical: enables KMS encryption at rest\n  kms_key_id      = \"alias/aws/kinesis\" # Critical: uses AWS managed Kinesis KMS key\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable server-side encryption for Kinesis streams using AWS KMS keys to ensure that all data is encrypted before it is stored, protecting data at rest and reducing the risk of unauthorized access.",
-      "Url": "https://docs.aws.amazon.com/streams/latest/dev/getting-started-with-sse.html"
+      "Text": "Enable **SSE-KMS** on all streams.\n- Use **customer-managed keys** for rotation and ownership\n- Enforce **least privilege** on KMS grants; limit cross-account use\n- Monitor key usage and require encryption in CI/CD",
+      "Url": "https://hub.prowler.com/check/kinesis_stream_encrypted_at_rest"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""