diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts
index ff58a8b73d5f0..480446a1ab969 100644
--- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts
+++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts
@@ -331,15 +331,12 @@ export class Stream extends StreamBase {
     }
 
     if (encryptionType === StreamEncryption.UNENCRYPTED) {
-      return { streamEncryption: undefined, encryptionKey: undefined };
+      return { };
     }
 
     if (encryptionType === StreamEncryption.MANAGED) {
       const encryption = { encryptionType: 'KMS', keyId: 'alias/aws/kinesis'};
-      return {
-        streamEncryption: encryption,
-        encryptionKey: undefined
-      };
+      return { streamEncryption: encryption };
     }
 
     if (encryptionType === StreamEncryption.KMS) {
diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts
index 943d8672cbfb4..12ac660be6774 100644
--- a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts
+++ b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts
@@ -258,6 +258,7 @@ export = {
 
     test.done();
   },
+
   'retention period must be between 24 and 168 hours'(test: Test) {
     test.throws(() => {
       new Stream(new Stack(), 'MyStream', {
@@ -303,6 +304,21 @@ export = {
     test.done();
   },
 
+  'encryption key cannot be supplied with UNENCRYPTED as the encryption type'(test: Test) {
+
+    const stack = new Stack();
+    const key = new kms.Key(stack, 'myKey');
+
+    test.throws(() => {
+      new Stream(stack, 'MyStream', {
+        encryptionKey: key,
+        encryption: StreamEncryption.UNENCRYPTED
+      });
+    }, /encryptionKey is specified, so 'encryption' must be set to KMS/);
+
+    test.done();
+  },
+
   'if a KMS key is supplied, use KMS as the encryption type'(test: Test) {
     // GIVEN
     const stack = new Stack();
@@ -409,6 +425,7 @@ export = {
 
     test.done();
   },
+
   'uses explicit KMS key if encryption type is KMS and a key is provided'(test: Test) {
     const stack = new Stack();
 
@@ -493,6 +510,7 @@ export = {
 
     test.done();
   },
+
   permissions: {
     'with encryption': {
       'grantRead creates and attaches a policy with read only access to Stream and EncryptionKey'(test: Test) {