:doc:`Kinesis <../../kinesis>` / Client / start_stream_encryption

***********************
start_stream_encryption
***********************



.. py:method:: Kinesis.Client.start_stream_encryption(**kwargs)

  

  Enables or updates server-side encryption using an Amazon Web Services KMS key for a specified stream.

   

  .. note::

    

    When invoking this API, you must use either the ``StreamARN`` or the ``StreamName`` parameter, or both. It is recommended that you use the ``StreamARN`` input parameter when you invoke this API.

    

   

  Starting encryption is an asynchronous operation. Upon receiving the request, Kinesis Data Streams returns immediately and sets the status of the stream to ``UPDATING``. After the update is complete, Kinesis Data Streams sets the status of the stream back to ``ACTIVE``. Updating or applying encryption normally takes a few seconds to complete, but it can take minutes. You can continue to read and write data to your stream while its status is ``UPDATING``. Once the status of the stream is ``ACTIVE``, encryption begins for records written to the stream.

   

  API Limits: You can successfully apply a new Amazon Web Services KMS key for server-side encryption 25 times in a rolling 24-hour period.

   

  Note: It can take up to 5 seconds after the stream is in an ``ACTIVE`` status before all records written to the stream are encrypted. After you enable encryption, you can verify that encryption is applied by inspecting the API response from ``PutRecord`` or ``PutRecords``.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/kinesis-2013-12-02/StartStreamEncryption>`_  


  **Request Syntax**
  ::

    response = client.start_stream_encryption(
        StreamName='string',
        EncryptionType='NONE'|'KMS',
        KeyId='string',
        StreamARN='string',
        StreamId='string'
    )
    
  :type StreamName: string
  :param StreamName: 

    The name of the stream for which to start encrypting records.

    

  
  :type EncryptionType: string
  :param EncryptionType: **[REQUIRED]** 

    The encryption type to use. The only valid value is ``KMS``.

    

  
  :type KeyId: string
  :param KeyId: **[REQUIRED]** 

    The GUID for the customer-managed Amazon Web Services KMS key to use for encryption. This value can be a globally unique identifier, a fully specified Amazon Resource Name (ARN) to either an alias or a key, or an alias name prefixed by "alias/".You can also use a master key owned by Kinesis Data Streams by specifying the alias ``aws/kinesis``.

     

    
    * Key ARN example: ``arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012``
     
    * Alias ARN example: ``arn:aws:kms:us-east-1:123456789012:alias/MyAliasName``
     
    * Globally unique key ID example: ``12345678-1234-1234-1234-123456789012``
     
    * Alias name example: ``alias/MyAliasName``
     
    * Master key owned by Kinesis Data Streams: ``alias/aws/kinesis``
    

    

  
  :type StreamARN: string
  :param StreamARN: 

    The ARN of the stream.

    

  
  :type StreamId: string
  :param StreamId: 

    Not Implemented. Reserved for future use.

    

  
  
  :returns: None
  **Exceptions**
  
  *   :py:class:`Kinesis.Client.exceptions.InvalidArgumentException`

  
  *   :py:class:`Kinesis.Client.exceptions.LimitExceededException`

  
  *   :py:class:`Kinesis.Client.exceptions.ResourceInUseException`

  
  *   :py:class:`Kinesis.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`Kinesis.Client.exceptions.KMSDisabledException`

  
  *   :py:class:`Kinesis.Client.exceptions.KMSInvalidStateException`

  
  *   :py:class:`Kinesis.Client.exceptions.KMSAccessDeniedException`

  
  *   :py:class:`Kinesis.Client.exceptions.KMSNotFoundException`

  
  *   :py:class:`Kinesis.Client.exceptions.KMSOptInRequired`

  
  *   :py:class:`Kinesis.Client.exceptions.KMSThrottlingException`

  
  *   :py:class:`Kinesis.Client.exceptions.AccessDeniedException`

  