Profile Applicability:

  • Level 1

Description:

Apache Kafka is a distributed streaming platform that requires secure network configurations to ensure that only authorized systems can connect to it. Port 9092 is the default port used by Kafka for client connections. Allowing ingress traffic from 0.0.0.0/0 (IPv4) or ::/0 (IPv6) to Kafka port 9092 exposes the Kafka brokers to the internet, which can result in unauthorized access or security vulnerabilities. It is recommended to configure security groups to restrict access to Kafka port 9092 to trusted IP addresses or networks only.

Rationale:

Allowing unrestricted ingress to Kafka port 9092 from the internet (0.0.0.0/0 or ::/0) can create significant security risks, such as unauthorized access or data breaches. Limiting access to trusted sources ensures that Kafka is only accessible from authorized systems, protecting your data and infrastructure from external threats. By configuring security groups correctly, you help secure your Kafka brokers and reduce the attack surface.

Impact:

Pros:

  • Enhances the security of Kafka brokers by limiting access to trusted systems.

  • Reduces the risk of unauthorized access or data exfiltration.

  • Helps comply with security best practices and regulatory requirements.

Cons:

  • Requires careful configuration to ensure that legitimate internal or external systems can still access Kafka.

  • Misconfiguration can lead to loss of access for authorized systems.

Default Value:

By default, security groups may allow ingress from 0.0.0.0/0 or ::/0, which would make Kafka port 9092 accessible from the public internet. This setting must be manually modified to restrict access.

Pre-requisite:

  • AWS IAM permissions:

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroups

  • AWS CLI installed and configured.

  • Basic understanding of Amazon EC2 Security Groups and Kafka port configuration.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

     

  1. In the left navigation pane, select Security Groups under Network & Security.

                     

  1. For each Security Group associated with Kafka instances, click on the security group name to view the Inbound Rules.

         

  1. Check if there are any rules allowing ingress traffic to port 9092 from 0.0.0.0/0 (IPv4) or ::/0 (IPv6).

    • If any rules are found, edit the rule to remove 0.0.0.0/0 or ::/0 and replace them with more restrictive CIDR blocks or specific IP addresses that need access to Kafka.

   

  1. Ensure that the Kafka port 9092 is only accessible to trusted IP addresses or networks.

Using AWS CLI:

List all security groups and check for ingress rules allowing traffic to port 9092:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Ingress:IpPermissions[?ToPort==`9092`].IpRanges}' --output table

Review the Ingress rules to identify any security groups that allow ingress from 0.0.0.0/0 or ::/0 to port 9092.

If any security group has such a rule, modify the security group to restrict access:

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 9092 --cidr 0.0.0.0/0

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 9092 --cidr ::/0

To add more restrictive rules, run:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 9092 --cidr <trusted-ip-range>

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console.

  2. Navigate to EC2.

   

  1. Under Network & Security, select Security Groups.

       

  1. Select the security group associated with your Kafka instance.

       

  1. Review the Inbound Rules for any rules that allow ingress to port 9092 from 0.0.0.0/0 or ::/0.

   

  1. Edit the rule to remove 0.0.0.0/0 and ::/0, and replace them with more restrictive CIDR blocks or specific IP addresses that need access.

   

  1. Save the changes.

Using AWS CLI:

List the security groups and inspect their inbound rules:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Ingress:IpPermissions[?ToPort==`9092`].IpRanges}' --output table

Revoke the insecure ingress rule:

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 9092 --cidr 0.0.0.0/0

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 9092 --cidr ::/0

Add secure ingress rules to allow traffic from specific trusted IPs:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 9092 --cidr <trusted-ip-range>

Backout Plan:

If modifying the security groups causes loss of access to Kafka or application issues:

  1. Identify the affected security group and review the access configuration.

Revert to the original configuration by adding 0.0.0.0/0 or ::/0 to the security group ingress rule temporarily.

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 9092 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 9092 --cidr ::/0

  1. Verify that Kafka is accessible and troubleshoot any other issues caused by the change.

  2. Document the restoration actions for auditing and compliance purposes.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.