Profile Applicability

  • Level 2

Description

Encryption in transit ensures that all communication between Kafka clients, brokers, and ZooKeeper nodes is protected from interception and unauthorized access. Enabling encryption in transit helps safeguard sensitive data and meets compliance with security and privacy requirements.

Rationale

  • Enhanced Security: Prevents interception and unauthorized access to data transmitted between Kafka components.

  • Compliance: Meets regulatory requirements for ensuring secure data communication.

  • Risk Mitigation: Reduces the risk of man-in-the-middle attacks and data breaches.

Impact

Pros:

  • Secures communication between Kafka clients, brokers, and ZooKeeper.

  • Mitigates risks of data breaches and unauthorized access.

  • Aligns with security standards and compliance policies.

Cons:

  • May introduce slight latency due to encryption processing.

  • Requires proper configuration of TLS certificates.

Default Value

By default, Amazon MSK clusters support encryption in transit, but explicit configuration is required to enforce secure connections.

Pre-Requisite

IAM Permissions:

  • kafka:DescribeCluster

  • kafka:UpdateClusterConfiguration

  • AWS CLI installed and configured.


Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select Clusters from the left-hand menu.

  4. Check the Encryption Settings for each cluster and verify that TLS encryption in transit is enabled.

Using AWS CLI:

  1. Verify Encryption in Transit Settings:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.EncryptionInfo.EncryptionInTransit"

  2. Ensure that ClientBroker is set to TLS or TLS_PLAINTEXT (TLS-enabled) and InCluster is set to true.

Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select the Kafka cluster to update.

  4. Edit the cluster configuration to enable encryption in transit using TLS.

  5. Save the changes.

Using AWS CLI:

  1. Enable Encryption in Transit:

    aws kafka update-cluster-configuration --cluster-arn <cluster-arn> --configuration-info file://config.json

  2. Verify the Changes:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.EncryptionInfo.EncryptionInTransit"

Backout Plan

Using AWS Console:

  1. If enabling encryption causes issues with cluster performance or connectivity, navigate to Amazon MSK in the AWS Management Console.

  2. Select the Kafka cluster and disable encryption in transit by editing the cluster settings and setting TLS encryption to off.

  3. Save the changes and verify that the cluster is no longer using encryption.

Using AWS CLI:

  1. To disable encryption in transit, run the following command:

    aws kafka update-cluster-configuration --cluster-arn <CLUSTER_ARN> --encryption-in-transit '{"enabled":false}' --region <REGION>

  2. Verify that the encryption has been disabled by describing the cluster:

    aws kafka describe-cluster --cluster-arn <CLUSTER_ARN> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.