Back to All Checks
Medium Protect Regional

MSK clusters should be encrypted in transit among broker nodes

NIST 800-53PCI DSS v4.0.1PCI DSS v4.2.1ISO 27001HIPAA

Description

This control checks whether an Amazon Managed Streaming for Apache Kafka (MSK) cluster is configured to encrypt data in transit using HTTPS (TLS) between its broker nodes. The control will fail if plain text communication is enabled for any cluster broker node connection. HTTPS, by utilizing TLS, provides an additional layer of security. This helps protect against 'person-in-the-middle' attacks and similar threats that could lead to eavesdropping or manipulation of network traffic. While Amazon MSK encrypts data in transit with TLS by default, this default can be overridden during cluster creation. The recommendation is to always use encrypted connections over HTTPS (TLS) for broker node communications.

Remediation

To remediate MSK clusters without encryption in transit between broker nodes, you need to enable TLS encryption for in-cluster communication.

Steps

  1. Navigate to the Amazon MSK console
  2. Select the MSK cluster that needs remediation
  3. Click on 'Edit' or 'Modify' cluster
  4. Go to 'Encryption' settings
  5. Enable 'Encryption in transit'
  6. Ensure 'In-cluster encryption' is enabled
  7. Configure TLS settings if needed
  8. Review the configuration changes
  9. Apply the changes to the cluster
  10. Verify encryption is enabled and working

Compliance

NIST 800-53PCI DSS v4.0.1PCI DSS v4.2.1ISO 27001HIPAA
Start Your Free Security Check