HIGH
Source
Trivy
ID
AVD-AWS-0073

A MSK cluster allows unencrypted data in transit.

Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.

Impact

Intercepted data can be read in transit

Follow the appropriate remediation steps below to resolve the issue.

Enable in transit encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
AWSTemplateFormatVersion: 2010-09-09
Description: Good example
Resources:
  Cluster:
    Type: AWS::MSK::Cluster
    Properties:
      EncryptionInfo:
        EncryptionInTransit:
          ClientBroker: "TLS"

Enable in transit encryption

1
2
3
4
5
6
7
8
resource "aws_msk_cluster" "good_example" {
  encryption_info {
    encryption_in_transit {
      client_broker = "TLS"
      in_cluster = true
    }
  }
}