MSK clusters should disable unauthenticated access
Description
This control checks whether unauthenticated access is enabled for an Amazon MSK cluster. The control fails if unauthenticated access is enabled for the MSK cluster. Amazon MSK supports client authentication and authorization mechanisms to control access to a cluster. These mechanisms verify the identity of clients connecting to the cluster and determine which actions clients can perform. An MSK cluster can be configured to allow unauthenticated access, which allows any client with network connectivity to publish and subscribe to Kafka topics without providing credentials. Running an MSK cluster without requiring authentication violates the principle of least privilege and can expose the cluster to unauthorized access. It can allow any client to access, modify, or delete data in Kafka topics, potentially resulting in data breaches, unauthorized data modifications, or service disruptions. The recommendation is to enable authentication mechanisms such as IAM authentication, SASL/SCRAM, or mutual TLS to ensure proper access control and maintain security compliance.
Remediation
To remediate MSK clusters with unauthenticated access enabled, you need to disable unauthenticated access and enable proper authentication mechanisms.
Steps
- Navigate to the Amazon MSK console
- Select the MSK cluster with unauthenticated access enabled
- Click on 'Edit' or 'Modify' cluster
- Go to 'Security' settings
- Disable 'Unauthenticated access'
- Enable authentication mechanisms (IAM, SASL/SCRAM, or mTLS)
- Configure client authentication settings
- Set up authorization policies
- Review the security configuration
- Apply the changes and verify authentication is required