Skip to main content

MSK clusters should use in-transit encryption

  • GG_ID: GG_IAC_0054
  • Severity: HIGH
  • Complexity: HIGH
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


Amazon Managed Streaming for Apache Kafka (MSK) is a fully managed service that enables users to build and run applications that use Apache Kafka to process streaming data.

Amazon MSK encrypts data in transit with TLS by default. This default configuration should not be overridden.


Not encrypting data in-transit could lead to data leak in case of an attack.

Remediation guidelines#

The in-transit encryption can't be modified for an existing MSK cluster. A replacement cluster must be built with the client_broker parameter set to TLS and the in_cluster parameter set to to true.

External documentation#