Profile Applicability

  • Level 2

Description

Encryption at rest protects sensitive data stored in Kafka clusters by encrypting it on disk. Using Customer Managed Keys (CMK) provides greater control over the encryption process, including key rotation, access policies, and lifecycle management. This ensures compliance with stringent security and regulatory requirements.

Rationale

  • Enhanced Security: CMKs provide full control over encryption keys, ensuring that only authorized users can access sensitive data.

  • Compliance: Meets regulatory requirements for data protection and privacy by using customer-controlled encryption keys.

  • Key Management: Allows for key rotation and revocation, ensuring better security practices.

Impact

Pros:

  • Provides full control over encryption keys and policies.

  • Enhances data security by ensuring only authorized access.

  • Aligns with compliance and regulatory standards.

Cons:

  • Requires additional configuration and management of CMKs.

  • May incur additional costs for using AWS Key Management Service (KMS).

Default Value

By default, Kafka clusters use AWS-managed keys for encryption at rest. Customer Managed Keys must be explicitly configured.

Pre-Requisite

IAM Permissions:

  • kafka:ListClusters

  • kafka:DescribeCluster

  • kms:CreateKey

  • kms:DescribeKey

  • AWS CLI installed and configured.

Remediation

Test Plan:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select Clusters from the left-hand menu.

  4. Check the encryption settings for each cluster and verify if CMKs are being used.

Using AWS CLI:

  1. List All MSK Clusters:

    aws kafka list-clusters --query "ClusterInfoList[*].{ClusterName:ClusterName,EncryptionAtRest:EncryptionInfo.EncryptionAtRest.KmsKeyArn}"

  2. Verify that the KmsKeyArn field is populated with a CMK ARN.

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select the cluster to update.

  4. Click Edit Cluster and configure encryption at rest to use a Customer Managed Key (CMK) from AWS KMS.

  5. Save the changes.

Using AWS CLI:

  1. Update the cluster to use a CMK:

    aws kafka update-cluster-configuration --cluster-arn <cluster-arn> --configuration-info file://config.json

  2. Verify the Changes:

    aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.EncryptionInfo.EncryptionAtRest.KmsKeyArn"

Backout Plan

Using AWS Console:

  1. If enabling encryption causes issues with connector communication, sign in to the AWS Management Console.

  2. Navigate to Amazon MSK Connect, select the connector, and go to Edit.

  3. Disable TLS encryption and switch to non-encrypted communication.

  4. Save the changes and verify that the connector can communicate without encryption.

Using AWS CLI:

  1. To disable encryption in transit, run the following command:

    aws kafka update-connector --connector-arn <CONNECTOR_ARN> --encryption-in-transit '{"enabled": false}' --region <REGION>

  2. Verify that encryption has been disabled:

    aws kafka describe-connector --connector-arn <CONNECTOR_ARN> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.