turbot/steampipe-mod-aws-compliance

Control: 3 Kinesis streams should have an adequate data retention period

Description

This control checks whether an Amazon Kinesis data stream has a data retention period greater than or equal to the specified time frame. The control fails if the data retention period is less than the specified time frame. Unless you provide a custom parameter value for the data retention period, Security Hub uses a default value of 168 hours.

In Kinesis Data Streams, a data stream is an ordered sequence of data records meant to be written to and read from in real time. Data records are stored in shards in your stream temporarily. The time period from when a record is added to when it is no longer accessible is called the retention period. Kinesis Data Streams almost immediately makes records older than the new retention period inaccessible after decreasing the retention period. For example, changing the retention period from 24 hours to 48 hours means that records added to the stream 23 hours 55 minutes prior are still available after 24 hours.

Remediation

To change the backup retention period for your Kinesis Data Streams, see Change the data retention period in the Amazon Kinesis Data Streams Developer Guide

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_kinesis_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_kinesis_3 --share

SQL

This control uses a named query:

select
stream_arn as resource,
case
when retention_period_hours = 168 then 'ok'
else 'alarm'
end as status,
title || ' retention period set to ' || retention_period_hours || ' hours.' as reason
, region, account_id
from
aws_kinesis_stream;

Tags