MSK clusters should use in-transit encryption
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | LOW | AWS | DATA, NETWORK, PERMISSION |
Description
Amazon Managed Streaming for Apache Kafka (MSK) is a fully managed service that enables users to build and run applications that use Apache Kafka to process streaming data.
Amazon MSK encrypts data in transit with TLS by default. This default configuration should not be overridden.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | True |
Not encrypting data in-transit could lead to data leak in case of an attack.
Remediation guidelines
The in-transit encryption can't be modified for an existing MSK cluster.
A replacement cluster must be built with the client_broker
parameter
set to TLS
and the in_cluster
parameter set to to true
.