Profile Applicability:

  • Level 1

Description:

Apache Kafka commonly uses TCP port 9092 for client-broker communication. Allowing unrestricted internet access to this port on EC2 instances can expose your Kafka brokers to potential security threats. It's essential to ensure that EC2 instances do not permit ingress traffic from the internet to TCP port 9092.

Rationale:

Exposing Kafka brokers to the internet without proper restrictions can lead to unauthorized access, data breaches, and other malicious activities. By restricting ingress access to port 9092, you enhance the security posture of your Kafka deployment, ensuring that only trusted sources can communicate with your brokers.

Impact:

  • Positive Impact: Reduces the attack surface by preventing unauthorized internet-based access to Kafka brokers, thereby enhancing security.

  • Negative Impact: Legitimate clients outside your VPC may require access to Kafka. In such cases, you would need to implement secure access mechanisms, such as VPNs or VPC peering, to allow trusted traffic while maintaining security.

Default Value:

By default, EC2 security groups do not allow any inbound traffic. However, if custom security groups have been configured to allow ingress on port 9092 from 0.0.0.0/0 or ::/0, this would expose the Kafka brokers to the internet.

Pre-Requisite:

  • IAM Permissions: Ensure you have the necessary permissions to view and modify EC2 security group settings.

  • AWS Services: EC2, VPC.

  • Tools Required: AWS Management Console, AWS CLI.

Remediation:

Test plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 dashboard.

   

  1. In the left navigation pane, under Network & Security, choose Security Groups.

             

  1. Select each security group associated with your EC2 instances.

       

  1. Click on the Inbound rules tab.

           

  1. Review the rules to identify any that allow ingress on port 9092 from sources like 0.0.0.0/0 or ::/0.

       

  1. For any such rules, select them and click Delete.

       

  1. Ensure that only trusted IP ranges or security groups have access to port 9092, if necessary.

Using AWS CLI:

List all security groups and their ingress rules:

aws ec2 describe-security-groups --query 'SecurityGroups[].{ID:GroupId, Ingress:IpPermissions}'

Identify security groups with ingress rules allowing access to port 9092 from 0.0.0.0/0 or ::/0.

For each identified security group, revoke the unrestricted ingress rule:

aws ec2 revoke-security-group-ingress --group-id sg-xxxxxxxx --protocol tcp --port 9092 --cidr 0.0.0.0/0

Replace sg-xxxxxxxx with the actual security group ID.

If external access to Kafka is required, consider adding specific ingress rules that allow access only from trusted IP addresses or security groups.

Implementation Steps:

  1. Review Security Groups: Examine all security groups associated with your EC2 instances to identify any that permit unrestricted ingress to port 9092.

  2. Modify Ingress Rules: Remove or modify any rules that allow unrestricted access to port 9092. If external access is necessary, add rules that restrict access to trusted sources.

  3. Apply Changes: Ensure that changes are saved and applied to the relevant security groups.

Backout Plan:

If issues arise after modifying security group rules:

  1. Reinstate the original ingress rules that were removed or altered.

  2. Ensure that only trusted sources have access to port 9092, balancing security with functionality.

References: