Profile Applicability

  • Level 2

Description 

Mutual TLS (mTLS) authentication ensures that both the client and the server authenticate each other during communication. This provides an additional layer of security for Kafka clusters by ensuring that only trusted clients can connect to the cluster. Enabling mTLS is a critical step in securing sensitive data and preventing unauthorized access.

Rationale

  • Enhanced Security: Ensures that only trusted clients can connect to Kafka clusters.

  • Compliance: Meets regulatory requirements for secure communication and data protection.

  • Risk Mitigation: Reduces the risk of unauthorized access and man-in-the-middle attacks.

Impact

Pros:

  • Provides strong authentication for both clients and servers.

  • Enhances data security by encrypting communication.

  • Aligns with compliance and security standards.

Cons:

  • Requires additional configuration and management of certificates.

  • May introduce slight latency due to encryption overhead.

Default Value

By default, Kafka clusters do not enforce mTLS authentication. This must be explicitly configured.

Pre-Requisite

IAM Permissions:

  • kafka:DescribeCluster

  • kafka:UpdateClusterConfiguration

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select Clusters from the left-hand menu.

  4. Check the Security Settings for each cluster and verify if mTLS authentication is enabled.

Using AWS CLI:

  1. Verify mTLS Authentication Settings:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.ClientAuthentication.Tls"

  2. Ensure that the Tls field is set to Enabled.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select the cluster to update.

  4. Edit the cluster configuration to enable mTLS authentication using AWS Certificate Manager (ACM).

  5. Save the changes.

Using AWS CLI:

  1. Enable mTLS Authentication:

    aws kafka update-cluster-configuration --cluster-arn <cluster-arn> --configuration-info file://config.json

  2. Verify the Changes:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.ClientAuthentication.Tls"

Backout Plan

Using AWS Console:

  1. If enabling Mutual TLS Authentication causes issues with client connections, sign in to the AWS Management Console.

  2. Navigate to Amazon MSK, select the Kafka cluster, and go to Edit.

  3. Disable Mutual TLS Authentication and switch to standard TLS encryption (i.e., without client authentication).

  4. Save the changes and verify that clients are able to reconnect.

Using AWS CLI:

  1. To disable Mutual TLS Authentication, run the following command:

    aws kafka update-cluster-configuration --cluster-arn <CLUSTER_ARN> --encryption-in-transit '{"enabled": true, "clientBroker": "TLS"}' --region <REGION>

  2. Verify that Mutual TLS Authentication is no longer enabled:

    aws kafka describe-cluster --cluster-arn <CLUSTER_ARN> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.