A MSK cluster allows unencrypted data at rest.
Encryption should be forced for Kafka clusters, including at rest. This ensures sensitive data is kept private.
Impact
Intercepted data can be read at rest
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable at rest encryption
1
2
3
4
5
6
7
8
9
10
|
AWSTemplateFormatVersion: 2010-09-09
Description: Good example
Resources:
Cluster:
Type: AWS::MSK::Cluster
Properties:
EncryptionInfo:
EncryptionAtRest:
DataVolumeKMSKeyId: "foo-bar-key"
|
Enable at rest encryption
1
2
3
4
5
6
|
resource "aws_msk_cluster" "good_example" {
encryption_info {
encryption_at_rest_kms_key_arn = "foo-bar-key"
}
}
|
Links