Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Publicly Accessible Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon Managed Streaming for Kafka (MSK) clusters are not publicly accessible from the Internet to avoid exposing sensitive and confidential data, and minimize security risks. Trend Cloud One™ – Conformity strongly recommends to keep your Amazon MSK clusters privately (i.e. accessible only from inside the cluster's VPC).

Security

When your Amazon MSK clusters are publicly accessible, anyone on the Internet can establish a connection to the Apache Kafka brokers running within the MSK clusters and this can increase the opportunity for malicious activities such as Denial of Service (DoS) attacks.


Audit

To determine if your Amazon Managed Streaming for Kafka (MSK) clusters are publicly accessible, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MSK console at https://console.aws.amazon.com/msk.

03 In the main navigation panel, underMSK Clusters, choose Clusters.

04 Click on the name (link) of the cluster that you want to examine, available in the Cluster name column.

05 Select the Properties tab to access the configuration information available for the selected cluster.

06 In the Networking settings section, check the Public access attribute value. If the Public access value is set to On, the selected Amazon Managed Streaming for Kafka (MSK) cluster is publicly accessible.

07 Repeat steps no. 4 – 6 for each Amazon Managed Streaming for Kafka (MSK) cluster available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other regions.

Using AWS CLI

01 Runlist-clusters command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of the Amazon MSK clusters available in the selected AWS region:

aws kafka list-clusters
  --region us-east-1
  --query 'ClusterInfoList[*].ClusterArn'

02 The command output should return an array with the requested cluster ARNs:

[
	"arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab",
	"arn:aws:kafka:us-east-1:123456789012:cluster/cc-msk-app-cluster/aabbccdd-1234-aabb-1234-aabbccddaabb-cd"
]

03 Run describe-cluster command (OSX/Linux/UNIX) using the ARN of the Amazon MSK cluster that you want to examine as the identifier parameter and custom query filters to describe the public access control configuration available for cluster brokers:

aws kafka describe-cluster
  --region us-east-1
  --cluster-arn arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab
  --query 'ClusterInfo.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type'

04 The command output should return the requested configuration information:

"SERVICE_PROVIDED_EIPS"

If the describe-cluster command output returns "SERVICE_PROVIDED_EIPS", as shown in the output example above, the cluster brokers are accessible from the Internet, therefore the selected Amazon MSK cluster is publicly accessible.

05 Repeat steps no. 3 and 4 for each Amazon Managed Streaming for Kafka (MSK) cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To turn off public access to the Apache Kafka brokers running within your Amazon MSK clusters, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Disable Public Access",
	"Resources": {
		"MSKCluster": {
			"Type": "AWS::MSK::Cluster",
			"Properties": {
				"ClusterName": "cc-production-msk-cluster",
				"KafkaVersion": "3.4.0",
				"NumberOfBrokerNodes": 2,
				"EncryptionInfo": {
					"EncryptionInTransit": {
						"InCluster": true,
						"ClientBroker": "TLS"
					}
				},
				"BrokerNodeGroupInfo": {
					"BrokerAZDistribution": "DEFAULT",
					"ClientSubnets": [
						"subnet-0abcd1234abcd1234",
						"subnet-01234abcd1234abcd"
					],
					"InstanceType": "kafka.m5.large",
					"SecurityGroups": [
						"sg-0abcd1234abcd1234"
					],
					"StorageInfo": {
						"EbsStorageInfo": {
							"VolumeSize": 500
						}
					},
					"ConnectivityInfo": {
						"PublicAccess": {
							"Type": "DISABLED"
						}
					}
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Disable Public Access
	Resources:
	MSKCluster:
		Type: AWS::MSK::Cluster
		Properties:
		ClusterName: cc-production-msk-cluster
		KafkaVersion: 3.4.0
		NumberOfBrokerNodes: 2
		EncryptionInfo:
			EncryptionInTransit:
			InCluster: true
			ClientBroker: TLS
		BrokerNodeGroupInfo:
			BrokerAZDistribution: DEFAULT
			ClientSubnets:
			- subnet-0abcd1234abcd1234
			- subnet-01234abcd1234abcd
			InstanceType: kafka.m5.large
			SecurityGroups:
			- sg-0abcd1234abcd1234
			StorageInfo:
			EbsStorageInfo:
				VolumeSize: 500
			ConnectivityInfo:
			PublicAccess:
				Type: DISABLED

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_msk_cluster" "msk-cluster" {
	cluster_name           = "cc-production-msk-cluster"
	kafka_version          = "3.4.0"
	number_of_broker_nodes = 2

	encryption_info {
		encryption_in_transit {
			in_cluster    = true
			client_broker = "TLS"
		}
	}

	broker_node_group_info {
		instance_type  = "kafka.m5.large"
		client_subnets = ["subnet-0abcd1234abcd1234","subnet-01234abcd1234abcd"]
		storage_info {
			ebs_storage_info {
				volume_size = 500
			}
		}
		security_groups = ["sg-0abcd1234abcd1234"]

		# Disable Public Access
		connectivity_info {
			public_access {
				type = "DISABLED"
			}
		}
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MSK console at https://console.aws.amazon.com/msk.

03 In the main navigation panel, underMSK Clusters, choose Clusters.

04 Click on the name (link) of the cluster that you want to reconfigure.

05 Select the Properties tab and choose Edit public access from the Networking settings section to modify the network configuration settings available for the selected cluster.

06 On the Edit public access for <cluster-name> page, deselect the Turn on checkbox available under Public access to disable public access to the selected Amazon MSK cluster and make it accessible only from inside the cluster's VPC. Choose Save changes to apply the configuration changes.

07 Repeat steps no. 4 – 6 to turn off public access for other Amazon MSK clusters available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Run update-connectivity command (OSX/Linux/UNIX) using the ARN of the Amazon Managed Streaming for Kafka (MSK) cluster that you want to reconfigure as the identifier parameter, to turn off public access to the Apache Kafka brokers running within the selected cluster:

aws kafka update-connectivity
  --cluster-arn arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab
  --current-version ABCDABCDABCDA
  --connectivity-info '{"PublicAccess": {"Type": "DISABLED"}}'

02 The output should return the update-connectivitycommand request metadata:

{
	"ClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab",
	"ClusterOperationArn": "arn:aws:kafka:us-east-1:123456789012:cluster-operation/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab/1234abcd-1234-abcd-1234-abcd1234abcd"
}

03 Repeat steps no. 1 and 2 to disable public access for other Amazon MSK clusters provisioned in the current AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Jul 11, 2022