Profile Applicability

  • Level 2

Description

Amazon MSK supports multiple versions of Apache Kafka, and using the latest version ensures that your clusters benefit from the latest features, performance improvements, and security patches. Running outdated versions may expose clusters to vulnerabilities and limit access to new capabilities.

Rationale

  • Enhanced Security: The latest versions include critical security updates to protect against vulnerabilities.

  • Improved Performance: Benefit from optimizations and new features introduced in the latest versions.

  • Compliance: Aligns with best practices for maintaining secure and up-to-date infrastructure.

Impact

Pros:

  • Ensures clusters are secure and up-to-date.

  • Provides access to the latest features and performance improvements.

  • Reduces the risk of vulnerabilities and exploits.

Cons:

  • Upgrading may require downtime or careful planning to avoid service disruptions.

  • Compatibility testing may be needed for applications using the cluster.

Default Value

By default, MSK clusters do not automatically upgrade to the latest version. Upgrades must be initiated manually.

Pre-Requisite

IAM Permissions:

  • kafka:ListClusters

  • kafka:DescribeCluster

  • kafka:UpdateClusterKafkaVersion

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select Clusters from the left-hand menu.

  4. Check the Kafka version for each cluster and compare it with the latest supported version.

Using AWS CLI:

  1. List All MSK Clusters:

    aws kafka list-clusters --query "ClusterInfoList[*].{ClusterName:ClusterName,CurrentVersion:CurrentBrokerSoftwareInfo.KafkaVersion}"

  2. Compare the listed versions with the latest supported version.

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the MSK Dashboard.

  3. Select the cluster to upgrade.

  4. Click Actions and choose Update Kafka Version.

  5. Follow the prompts to upgrade to the latest version.

Using AWS CLI:

  1. Upgrade the Kafka Version:

    aws kafka update-cluster-kafka-version --cluster-arn <cluster-arn> --current-version <current-version> --target-kafka-version <latest-version>

  2. Verify the Upgrade:

Backout Plan

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon MSK > Clusters.

  3. Select the specific cluster that you updated to the latest version.

  4. Under the Cluster Details page, click Edit to revert the version.

  5. Revert to the previous cluster version (if supported) in the Kafka Version field.

  6. Save the changes to apply the backout.

Using AWS CLI:

  1. List the cluster details to identify the current version and backup the required cluster info:

    aws kafka list-clusters --query "ClusterInfoList[*].[ClusterName,CurrentVersion]" --output table

  2. Initiate the backout to the previous Kafka version using the update-cluster-configuration command:

    aws kafka update-cluster-configuration \--cluster-arn <cluster-arn> \
--current-version <previous-cluster-version-arn> \
--configuration-info Arn=<previous-configuration-arn>,Revision=<revision-id>


References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like upgrading to secure versions.



aws kafka describe-cluster --cluster-arn <cluster-arn> --query "ClusterInfo.CurrentBrokerSoftwareInfo.KafkaVersion"