Control: 3 Kinesis streams should have an adequate data retention period
Description
This control checks whether an Amazon Kinesis data stream has a data retention period greater than or equal to the specified time frame. The control fails if the data retention period is less than the specified time frame. Unless you provide a custom parameter value for the data retention period, Security Hub uses a default value of 168 hours.
In Kinesis Data Streams, a data stream is an ordered sequence of data records meant to be written to and read from in real time. Data records are stored in shards in your stream temporarily. The time period from when a record is added to when it is no longer accessible is called the retention period. Kinesis Data Streams almost immediately makes records older than the new retention period inaccessible after decreasing the retention period. For example, changing the retention period from 24 hours to 48 hours means that records added to the stream 23 hours 55 minutes prior are still available after 24 hours.
Remediation
To change the backup retention period for your Kinesis Data Streams, see Change the data retention period in the Amazon Kinesis Data Streams Developer Guide
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_kinesis_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_kinesis_3 --shareSQL
This control uses a named query:
select stream_arn as resource, case when retention_period_hours = 168 then 'ok' else 'alarm' end as status, title || ' retention period set to ' || retention_period_hours || ' hours.' as reason , region, account_idfrom aws_kinesis_stream;