Detections
Analytics

Ensure that TLS-Only communication should be allowed between AWS MSK client and broker

HIGH

Description

MSK clusters are configured to use TLS in transit by default, however this can be overridden. Not using TLS based communication between client and broker makes it vulnerable to network sniffing. In addition, using the latest version of TLS and modern ciphers can help keep data in-transit protected from man-in-the-middle and similar attacks.
References:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html

Remediation

Encryption settings are configured with TLS 1.2 by default, however this can be overridden at the time a cluster is created. To learn more, see the AWS documentation (below).

In Terraform -

  1. In the aws_msk_cluster resource, configure an encryption_info block.
  2. Within the encryption_info block, create an encryption_in_transit block with client_broker set to TLS and in_cluster set to true.

References:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_in_transit

Policy Details

Rule Reference ID: AC_AWS_0181
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_msk_cluster
Resource Category: Messaging
Resource Type: Managed Streaming for Apache Kafka (MSK)

Frameworks