A MSK cluster allows unencrypted data in transit.
Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.
Impact
Intercepted data can be read in transit
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable in transit encryption
1
2
3
4
5
6
7
8
9
10
|
AWSTemplateFormatVersion: 2010-09-09
Description: Good example
Resources:
Cluster:
Type: AWS::MSK::Cluster
Properties:
EncryptionInfo:
EncryptionInTransit:
ClientBroker: "TLS"
|
Enable in transit encryption
1
2
3
4
5
6
7
8
9
|
resource "aws_msk_cluster" "good_example" {
encryption_info {
encryption_in_transit {
client_broker = "TLS"
in_cluster = true
}
}
}
|
Links