Profile Applicability

  • Level 2

Description

Exposing Kafka clusters to the public internet can lead to unauthorized access, data breaches, and potential misuse of sensitive information. Ensuring that Kafka clusters are accessible only through secure and trusted networks mitigates these risks and aligns with security best practices.

Rationale

  • Enhanced Security: Prevents unauthorized access to Kafka clusters and sensitive data.

  • Risk Mitigation: Reduces the attack surface and protects against malicious activities.

  • Compliance: Aligns with regulatory requirements for securing data and infrastructure.

Impact

Pros:

  • Protects Kafka clusters from unauthorized access and potential data breaches.

  • Reduces the risk of exploitation and misuse of sensitive data.

  • Enhances overall security posture and compliance.

Cons:

  • May require additional configuration for secure access, such as VPNs or private endpoints.

  • Could disrupt workflows if public access was previously relied upon.

Default Value

By default, Kafka clusters may be accessible from the public internet if not explicitly restricted.

Pre-Requisite

IAM Permissions:

  • kafka:DescribeCluster

  • kafka:UpdateClusterConfiguration

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select Clusters from the left-hand menu.

  4. Check the Access Control settings for each cluster and ensure that public access is disabled.

Using AWS CLI:

  1. Verify Public Access Settings:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.BrokerNodeGroupInfo.ClientSubnets"

  2. Ensure that the subnets are private and not exposed to the public internet.

Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select the cluster to update.

  4. Edit the cluster configuration to restrict access to private subnets or trusted networks.

  5. Save the changes.

Using AWS CLI:

  1. Update the Cluster Configuration:

    aws kafka update-cluster-configuration --cluster-arn <cluster-arn> --configuration-info file://config.json

  2. Verify the Changes:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.BrokerNodeGroupInfo.ClientSubnets"

Backout Plan

Using AWS Console:

  1. If restricting access causes issues with application connectivity, sign in to the AWS Management Console.

  2. Navigate to Amazon MSK, select the Kafka cluster, and review the security group and VPC settings.

  3. Revert the changes to allow broader access (although this is not recommended for security purposes).

  4. Save the changes and verify that the Kafka cluster is accessible again.

Using AWS CLI:

  1. If restricting access causes connectivity issues, you can revert the security group to allow broader access:

    aws ec2 modify-security-group-rules --region <REGION> --group-id <SECURITY_GROUP_ID> --protocol tcp --port 9092 --cidr 0.0.0.0/0

  2. Verify that the Kafka cluster is now publicly accessible (again, this is not recommended):

    aws ec2 describe-security-groups --group-ids <SECURITY_GROUP_ID> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.