MSK clusters should use in-transit encryption
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | LOW | AWS | DATA, NETWORK, PERMISSION |
Description
Amazon Managed Streaming for Apache Kafka (MSK) is a fully managed service that enables users to build and run applications that use Apache Kafka to process streaming data.
Amazon MSK encrypts data in transit with TLS by default. This default configuration should not be overridden.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | True |
Not encrypting data in-transit could lead to data leak in case of an attack.
Remediation guidelines
The in-transit encryption can't be modified for an existing MSK cluster.
A replacement cluster must be built with the client_broker parameter
set to TLS and the in_cluster parameter set to to true.
References
Was this page helpful?
