MSK clusters should have public access disabled
Description
This control checks whether public access is disabled for an Amazon MSK cluster. The control fails if public access is enabled for the MSK cluster. By default, clients can access an Amazon MSK cluster only if they are in the same Virtual Private Cloud (VPC) as the cluster. All communication between Kafka clients and an MSK cluster is private by default, and streaming data does not traverse the internet. However, if an MSK cluster is configured to allow public access, anyone on the internet can establish a connection to Apache Kafka brokers running within the cluster. This can lead to serious security issues such as unauthorized access, data breaches, or exploitation of vulnerabilities. Restricting access to a cluster by requiring authentication and authorization measures helps protect sensitive information and maintain the integrity of resources.
Remediation
To remediate MSK clusters with public access enabled, you need to disable public access and ensure the cluster is only accessible within the VPC.
Steps
- Navigate to the Amazon MSK console
- Select the MSK cluster with public access enabled
- Click on 'Edit' or 'Modify' cluster
- Go to 'Network' settings
- Disable 'Public access' option
- Ensure the cluster is in a private subnet
- Configure VPC security groups properly
- Review the network configuration
- Apply the changes to the cluster
- Verify public access is disabled