Detections
Analytics

Ensure inter-cluster encryption is enabled for AWS MSK cluster

HIGH

Description

Not using inter-cluster encryption for AWS MSK clusters can impact the confidentiality of the data in transit.

Remediation

Encryption settings are configured with TLS 1.2 by default, however this can be overridden at the time a cluster is created. To learn more, see the AWS documentation (below).

In Terraform -

  1. In the aws_msk_cluster resource, configure an encryption_info block.
  2. Within the encryption_info block, create an encryption_in_transit block with client_broker set to TLS and in_cluster set to true.

References:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_in_transit

Policy Details

Rule Reference ID: AC_AWS_0180
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_msk_cluster
Resource Category: Messaging
Resource Type: Managed Streaming for Apache Kafka (MSK)

Frameworks