Profile Applicability

  • Level 2

Description

Encryption in transit ensures that data exchanged between MSK Connect connectors and Kafka clusters is protected from unauthorized access and tampering. By enabling encryption in transit, you safeguard sensitive data and comply with security best practices.

Rationale

  • Enhanced Security: Protects data from interception and unauthorized access during transmission.

  • Compliance: Meets regulatory requirements for securing data in transit.

  • Risk Mitigation: Reduces the risk of man-in-the-middle attacks and data breaches.

Impact

Pros:

  • Ensures secure communication between MSK Connect connectors and Kafka clusters.

  • Reduces the risk of data interception and tampering.

  • Aligns with compliance and security standards.

Cons:

  • May introduce slight latency due to encryption overhead.

  • Requires proper configuration of encryption settings.

Default Value

By default, MSK Connect supports encryption in transit using TLS. However, this must be explicitly configured to ensure secure communication.

Pre-Requisite

IAM Permissions:

  • kafka:DescribeCluster

  • kafka:UpdateClusterConfiguration

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select Connectors from the left-hand menu.

  4. Check the encryption settings for each connector and ensure that TLS is enabled.

Using AWS CLI:

  1. Verify Encryption Settings:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.EncryptionInfo.EncryptionInTransit"

  2. Ensure that the EncryptionInTransit field is set to TLS.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select the connector to update.

  4. Edit the connector configuration to enable encryption in transit using TLS.

  5. Save the changes.

Using AWS CLI:

  1. Update Encryption Settings:

    aws kafka update-cluster-configuration --cluster-arn <cluster-arn> --configuration-info file://config.json

  2. Verify the Changes:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.EncryptionInfo.EncryptionInTransit"

Backout Plan

Using AWS Console:

  1. If enabling encryption causes issues with connector communication, sign in to the AWS Management Console.
    Navigate to Amazon MSK Connect, select the connector, and go to Edit.

  2. Disable TLS encryption and switch to non-encrypted communication.

  3. Save the changes and verify that the connector can communicate without encryption.

Using AWS CLI:

  1. To disable encryption in transit, run the following command:

    aws kafka update-connector --connector-arn <CONNECTOR_ARN> --encryption-in-transit '{"enabled": false}' --region <REGION>

  2. Verify that encryption has been disabled:

    aws kafka describe-connector --connector-arn <CONNECTOR_ARN> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.