Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable MSK Cluster Encryption at Rest using CMK

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Amazon Managed Streaming for Kafka (MSK) clusters are using KMS Customer Master Keys (CMKs) instead of AWS managed keys (default keys used by Amazon MSK when there are no customer master keys defined) in order to have a more granular control over the cluster data encryption/decryption process. Amazon MSK is a fully managed AWS service that enables you to migrate, build, and run real-time streaming applications on Apache Kafka.

Security

By default, Amazon MSK uses AWS managed keys to encrypt the data that it stores on the cluster nodes. However, now you have the option to configure your MSK clusters to encrypt data using customer-managed keys. When you define and use your own Amazon KMS Customer Master Keys (CMKs) to protect the MSK data, you gain full control over who can use these keys to access your cluster data. The Amazon KMS service allows you to create, rotate, disable, and audit CMKs for your Amazon MSK clusters.


Audit

To determine the type of the KMS key used for Amazon MSK cluster encryption, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MSK console at https://console.aws.amazon.com/msk.

03 In the main navigation panel, under MSK Clusters, choose Clusters.

04 Click on the name (link) of the cluster that you want to examine, available in the Cluster name column.

05 Select the Properties tab and find the Security settings panel to view the encryption options available for the selected cluster.

06 In the Encryption section, check the Type of KMS key attribute value, listed under Encrypt data at rest. If the Type of KMS key value is set to AWS managed key, the data managed by the selected Amazon MSK cluster is encrypted using the default master key (AWS-managed key) instead of a KMS Customer Master Key (CMK).

07 Repeat steps no. 4 – 6 for each Amazon Managed Streaming for Kafka (MSK) cluster provisioned within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of the Amazon MSK clusters available in the selected AWS region:

aws kafka list-clusters
  --region us-east-1
  --query 'ClusterInfoList[*].ClusterArn'

02 The command output should return an array with the requested cluster ARNs:

[
	"arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab",
	"arn:aws:kafka:us-east-1:123456789012:cluster/cc-msk-app-cluster/aabbccdd-1234-aabb-1234-aabbccddaabb-cd"
]

03 Run describe-cluster command (OSX/Linux/UNIX) using the ARN of the Amazon MSK cluster that you want to examine as the identifier parameter and custom query filters to describe the ARN of the Amazon KMS key used to encrypt the data available on the selected cluster:

aws kafka describe-cluster
  --region us-east-1
  --cluster-arn arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab
  --query 'ClusterInfo.EncryptionInfo.EncryptionAtRest.DataVolumeKMSKeyId'

04 The command output should return the requested Amazon Resource Name (ARN):

"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"

05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter to describe the manager of the specified key:

aws kms describe-key
  --region us-east-1
  --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --query 'KeyMetadata.KeyManager'

06 The command output should the master key manager ("AWS" if the master key is AWS-managed, and "CUSTOMER" if the key is customer-managed):

"AWS"

If the describe-key command output returns "AWS", as shown in the example above, the data managed by the selected Amazon MSK cluster is encrypted using the default master key (AWS-managed key) instead of a KMS Customer Master Key (CMK).

07 Repeat steps no. 3 – 6 for each Amazon Managed Streaming for Kafka (MSK) cluster available in the selected AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Audit process for other regions.

Remediation / Resolution

Encryption at rest can't be enabled for existing Amazon MSK clusters. To encrypt the data available on your cluster node volumes, you must re-create your MSK cluster with the appropriate encryption configuration, by performing the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Encryption at Rest using CMKs",
	"Resources": {
		"KMSKEY": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeySpec": "SYMMETRIC_DEFAULT",
				"KeyUsage": "ENCRYPT_DECRYPT",
				"Description": "Symmetric Amazon KMS Customer Master Key",
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "Enable IAM User Permissions",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:root"
							},
							"Action": "kms:*",
							"Resource": "*"
						},
						{
							"Sid": "Allow access for Key Administrators",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
							},
							"Action": [
								"kms:Create*",
								"kms:Describe*",
								"kms:Enable*",
								"kms:List*",
								"kms:Put*",
								"kms:Update*",
								"kms:Revoke*",
								"kms:Disable*",
								"kms:Get*",
								"kms:Delete*",
								"kms:TagResource",
								"kms:UntagResource",
								"kms:ScheduleKeyDeletion",
								"kms:CancelKeyDeletion"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow use of the key",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:Encrypt",
								"kms:Decrypt",
								"kms:ReEncrypt*",
								"kms:GenerateDataKey*",
								"kms:DescribeKey"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow attachment of persistent resources",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:CreateGrant",
								"kms:ListGrants",
								"kms:RevokeGrant"
							],
							"Resource": "*",
							"Condition": {
								"Bool": {
									"kms:GrantIsForAWSResource": "true"
								}
							}
						}
					]
				}
			}
		},
		"KMSKEYAlias": {
			"Type": "AWS::KMS::Alias",
			"Properties": {
				"AliasName": "alias/MskDataCMK",
				"TargetKeyId": {
					"Ref": "KMSKEY"
				}
			}
		},
		"MSKCluster": {
			"Type": "AWS::MSK::Cluster",
			"Properties": {
				"ClusterName": "cc-encrypted-msk-cluster",
				"KafkaVersion": "3.2.0",
				"NumberOfBrokerNodes": 2,
				"EnhancedMonitoring": "DEFAULT",
				"BrokerNodeGroupInfo": {
					"BrokerAZDistribution": "DEFAULT",
					"ClientSubnets": [
						"subnet-0abcd1234abcd1234",
						"subnet-01234abcd1234abcd"
					],
					"InstanceType": "kafka.m5.large",
					"SecurityGroups": [
						"sg-0abcd1234abcd1234"
					],
					"StorageInfo": {
						"EbsStorageInfo": {
							"VolumeSize": 500
						}
					}
				},
				"EncryptionInfo": {
					"EncryptionAtRest": {
						"DataVolumeKMSKeyId": {
							"Ref": "KMSKEY"
						}
					}
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Encryption at Rest using CMKs
	Resources:
	KMSKEY:
		Type: AWS::KMS::Key
		Properties:
		Enabled: true
		KeySpec: SYMMETRIC_DEFAULT
		KeyUsage: ENCRYPT_DECRYPT
		Description: Symmetric Amazon KMS Customer Master Key
		KeyPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: Enable IAM User Permissions
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:root
				Action: kms:*
				Resource: '*'
			- Sid: Allow access for Key Administrators
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/kms-key-admin
				Action:
				- kms:Create*
				- kms:Describe*
				- kms:Enable*
				- kms:List*
				- kms:Put*
				- kms:Update*
				- kms:Revoke*
				- kms:Disable*
				- kms:Get*
				- kms:Delete*
				- kms:TagResource
				- kms:UntagResource
				- kms:ScheduleKeyDeletion
				- kms:CancelKeyDeletion
				Resource: '*'
			- Sid: Allow use of the key
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:Encrypt
				- kms:Decrypt
				- kms:ReEncrypt*
				- kms:GenerateDataKey*
				- kms:DescribeKey
				Resource: '*'
			- Sid: Allow attachment of persistent resources
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:CreateGrant
				- kms:ListGrants
				- kms:RevokeGrant
				Resource: '*'
				Condition:
				Bool:
					kms:GrantIsForAWSResource: 'true'
	KMSKEYAlias:
		Type: AWS::KMS::Alias
		Properties:
		AliasName: alias/MskDataCMK
		TargetKeyId: !Ref 'KMSKEY'
	MSKCluster:
		Type: AWS::MSK::Cluster
		Properties:
		ClusterName: cc-encrypted-msk-cluster
		KafkaVersion: 3.2.0
		NumberOfBrokerNodes: 2
		EnhancedMonitoring: DEFAULT
		BrokerNodeGroupInfo:
			BrokerAZDistribution: DEFAULT
			ClientSubnets:
			- subnet-0abcd1234abcd1234
			- subnet-01234abcd1234abcd
			InstanceType: kafka.m5.large
			SecurityGroups:
			- sg-0abcd1234abcd1234
			StorageInfo:
			EbsStorageInfo:
				VolumeSize: 500
		EncryptionInfo:
			EncryptionAtRest:
			DataVolumeKMSKeyId: !Ref 'KMSKEY'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "Symmetric Amazon KMS Customer Master Key"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*",
				"Condition": {
					"Bool": {
						"kms:GrantIsForAWSResource": "true"
					}
				}
			}
		]
	}
	EOF
}

resource "aws_kms_alias" "kms-key-alias" {
	target_key_id = aws_kms_key.kms-key.key_id
	name          = "alias/MskDataCMK"
}

resource "aws_msk_cluster" "msk-cluster" {
	cluster_name           = "cc-encrypted-msk-cluster"
	kafka_version          = "3.2.0"
	number_of_broker_nodes = 2
	enhanced_monitoring    = "DEFAULT"

	broker_node_group_info {
		instance_type = "kafka.m5.large"
		client_subnets = ["subnet-0abcd1234abcd1234","subnet-01234abcd1234abcd"]
		storage_info {
			ebs_storage_info {
			volume_size = 500
			}
		}
		security_groups = ["sg-0abcd1234abcd1234"]
	}

	# Enable Encryption at Rest using CMKs
	encryption_info {
	encryption_at_rest_kms_key_arn = aws_kms_key.kms-key.arn
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.

04 Choose the Create Key button from the console top menu to initiate the CMK setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
  2. Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
  3. Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
  4. Choose Next to continue.

06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – _optiona_l box. (Optional) Use the Add tag button to create tags in order to categorize and identify your CMK. Choose Next to continue the setup process.

07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.

08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your Amazon MSK data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.

09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

10 Navigate to Amazon MSK console at https://console.aws.amazon.com/msk.

11 In the main navigation panel, underMSK Clusters, choose Clusters.

12 Click on the name (link) of the cluster that you want to recreate , available in the Cluster name column.

13 Select the Properties tab and collect all the configuration information available for the selected cluster.

14 Navigate back to the Clusters page and choose Create cluster to launch a new Amazon MSK cluster.

15 On the Create cluster setup page, perform the following actions:

  1. For Step 1 Cluster settings, perform the following:
    • For Cluster creation method, choose Custom create.
    • Provide a unique name for the new cluster in the Cluster name box.
    • For Cluster type, choose the type of cluster that you want to create. Must match the type of the source (original) cluster. If your source cluster type is Provisioned, configure the brokers as described below.
    • Choose the Apache Kafka version that you want to use for the cluster brokers from the Apache Kafka version dropdown list.
    • In the Brokers section, configure the broker nodes for your new MSK cluster. Choose the right broker type, the number of zones, and the number of brokers per zone. The broker node configuration must match the broker configuration information collected at step no. 13.
    • In the Storage section, you can configure the storage volume and storage throughput per broker node.
    • In the Configuration section, choose whether to use the default configuration provided by Amazon MSK or to use your own, custom configuration.
    • Choose Next to continue the setup process.
  2. For Step 2 Networking, choose VPC network, the Availability Zones (AZs), and the subnets where you want Amazon MSK to deploy the brokers for your new cluster. For Security groups in Amazon EC2, select one or more security groups to assign to the cluster's ENIs. The networking configuration must match the one identified at step no. 13. Choose Next to continue the setup.
  3. For Step 3 Security, perform the following actions:
    • For Access control methods, choose the method that you want Amazon MSK to use to authenticate clients and allow or deny actions.
    • For Encrypt data in transit, select TLS encryption under Between clients and brokers to encrypt the communication between cluster clients and brokers, and choose TLS encryption under Within the cluster to encrypt the communication between the cluster brokers.
    • For Encrypt data at rest, choose Use customer managed key and select the newly created KMS Customer Master Key (CMK) from the Choose customer managed key dropdown list.
    • Choose Next to continue the setup.
  4. For Step 4 Monitoring and tags, configure the monitoring options for the new cluster. The monitoring configuration must match the monitoring information collected at step no. 13.
  5. (Optional) To attach tags to your new cluster, use the Add new tag button available in the Cluster tags – optional section. Choose Next to continue.
  6. For Step 5 Review and create, review the cluster configuration, then choose Create cluster to launch your new Amazon MSK cluster.

16 Repeat steps no. 12 – 15 for each Amazon MSK cluster that you want to recreate, available within the current AWS region.

17 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your MSK cluster data using the KMS API. Create a new policy document (JSON format), name the file msk-data-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
	"Id": "protected-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e.msk-data-cmk-policy.json) as value for the --policy parameter, to create your new, customer-managed Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Customer Master Key for Amazon MSK Cluster Data Encryption'
  --policy file://msk-data-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/MskDataCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

05 Run describe-cluster command (OSX/Linux/UNIX) using the ARN of the Amazon MSK cluster that you want to re-create as the identifier parameter and custom query filters to get the configuration information available for the selected cluster:

aws kafka describe-cluster
  --region us-east-1
  --cluster-arn arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab

06 The command output should return**the requested configuration information:

{
	"ClusterInfo": {
		"BrokerNodeGroupInfo": {
			"BrokerAZDistribution": "DEFAULT",
			"ClientSubnets": [
				"subnet-0abcd1234abcd1234",
				"subnet-01234abcd1234abcd"
			],
			"InstanceType": "kafka.m5.large",
			"SecurityGroups": [
				"sg-0abcd1234abcd1234"
			],
			"StorageInfo": {
				"EbsStorageInfo": {
					"VolumeSize": 500
				}
			}
		},

		...


		"EncryptionInfo": {
			"EncryptionAtRest": {
				"DataVolumeKMSKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd"
			},
			"EncryptionInTransit": {
				"ClientBroker": "PLAINTEXT",
				"InCluster": false
			}
		},
		"OpenMonitoring": {
			"Prometheus": {
				"JmxExporter": {
					"EnabledInBroker": false
				},
				"NodeExporter": {
					"EnabledInBroker": false
				}
			}
		}
	}
}

07 Define the cluster broker node configuration using the information returned at the previous step and save the configuration document to a JSON file named cc-broker-node-group-config.json:

{
	"BrokerAZDistribution": "DEFAULT",
	"ClientSubnets": [
			"subnet-0abcd1234abcd1234",
			"subnet-01234abcd1234abcd"
	],
	"InstanceType": "kafka.m5.large",
	"SecurityGroups": [
		"sg-0abcd1234abcd1234"
	],
	"StorageInfo": {
		"EbsStorageInfo": {
			"VolumeSize": 500
		}
	}
}

08 Define the cluster encryption configuration and save the configuration document to a JSON file named cc-encryption-config.json. The following example enables encryption at rest using the customer-provided Customer Master Key (CMK) created earlier in the Remediation process and turn on in-transit encryption for the communication between the cluster brokers, and between cluster clients and brokers:

{
	"EncryptionAtRest": {
		"DataVolumeKMSKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
	},
	"EncryptionInTransit": {
		"ClientBroker": "TLS",
		"InCluster": true
	}
}

09 Run create-cluster command (OSX/Linux/UNIX) to launch a new Amazon MSK cluster using the configuration parameters defined at the previous steps (i.e. cc-broker-node-group-config.json and cc-encryption-config.json):

aws kafka create-cluster
  --cluster-name cc-encrypted-msk-cluster
  --kafka-version "2.6.2"
  --number-of-broker-nodes 2
  --enhanced-monitoring DEFAULT
  --broker-node-group-info file://cc-broker-node-group-config.json
  --encryption-info file://cc-encryption-config.json

10 The command output should return the information available for the new Amazon MSK cluster:

{
	"ClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/cc-encrypted-msk-cluster/1234abcd-1234-abcd-1234-abcd1234abcd-ad",
	"ClusterName": "cc-encrypted-msk-cluster",
	"State": "CREATING"
}

11 Repeat steps no. 5 – 10 for each Amazon MSK cluster that you want to re-create, available in the selected AWS region.

12 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 11 to perform the Remediation process for other regions.

References

Publication date Mar 4, 2019