Profile Applicability

  • Level 2

Description

Unrestricted access to Kafka clusters, allowing connections from 0.0.0.0/0 (IPv4) or ::/0 (IPv6), poses a significant security risk. This configuration exposes clusters to unauthorized access, brute-force attacks, and potential misuse. To safeguard sensitive data and ensure only trusted clients connect, Kafka clusters must have unrestricted access disabled, restricting access to specific trusted IP ranges or private networks.

Rationale

  • Enhanced Security: Prevents unauthorized connections to Kafka clusters.

  • Risk Mitigation: Protects against malicious activities, including brute-force attacks and data breaches.

  • Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

  • Safeguards Kafka clusters from unauthorized access.

  • Reduces the risk of data theft and exploits.

  • Enhances security posture by limiting public exposure.

Cons:

  • May require configuration changes for secure access methods, such as private networks or VPNs.

  • Could temporarily disrupt workflows if public access was previously used.

Default Value

By default, Kafka clusters may permit unrestricted access if not explicitly configured.

Pre-Requisite

IAM Permissions:

  • kafka:DescribeCluster

  • kafka:UpdateClusterConfiguration

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select Clusters from the left-hand menu.

  4. Verify the access control configurations for each cluster and ensure unrestricted access (0.0.0.0/0 or ::/0) is disabled.

Using AWS CLI:

  1. Identify Unrestricted Access:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.BrokerNodeGroupInfo.SecurityGroups"

  2. Verify that security groups associated with the cluster do not allow unrestricted access.

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select the Kafka cluster to update.

  4. Edit the network configuration to restrict access to trusted IP ranges or private subnets.

  5. Save the changes.

Using AWS CLI:

  1. Update the Security Group to Restrict Access:

    aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <kafka-port> --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <kafka-port> --cidr ::/0

  1. Add Secure Rules for Trusted IP Ranges (if necessary):

    aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <kafka-port> --cidr <trusted-cidr>

Backout Plan

Using AWS Console:

  1. If restricting access causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon MSK, select the cluster, and review the security group and network settings.

  3. Revert the security group or VPC settings to their previous configuration (allowing broader access) to restore functionality, though this is not recommended from a security standpoint.

  4. Save the changes and monitor the Kafka cluster to ensure access is restored as expected.

Using AWS CLI:

  1. If access restrictions cause issues, revert the security group changes by allowing broader access (e.g., opening up the IP range):

    aws ec2 authorize-security-group-ingress --region <REGION> --group-id <SECURITY_GROUP_ID> --protocol tcp --port 9092 --cidr 0.0.0.0/0

  2. Verify that the cluster is accessible again and troubleshoot as necessary:

    aws ec2 describe-security-groups --group-ids <SECURITY_GROUP_ID> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.