- Knowledge Base
- Amazon Web Services
- Amazon Managed Streaming for Apache Kafka
- Unrestricted Access to Apache Kafka Brokers
Ensure that unrestricted access to the Apache Kafka brokers is disabled at the Amazon MSK cluster level in order to avoid exposing sensitive data and minimize security risks.
When unauthenticated access is enabled at cluster level, no authentication is required for clients, and all actions are allowed. This can increase the opportunity for numerous malicious activities and cyberattacks.
Audit
To determine if your Amazon MSK clusters allow unrestricted access to the associated Apache Kafka brokers, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon MSK console at https://console.aws.amazon.com/msk.
03 In the main navigation panel, under MSK Clusters, choose Clusters.
04 Click on the name (link) of the cluster that you want to examine, available in the Cluster namecolumn.
05 Select the Properties tab and check the Unauthenticated access attribute value available in the Security settings section. If Unauthenticated access is set to Enabled, the selected Amazon MSK cluster allows unrestricted access to the cluster's brokers.
06 Repeat step no. 4 and 5 for each Amazon Managed Streaming for Kafka (MSK) cluster provisioned within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other regions.
Using AWS CLI
01 Runlist-clusters command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of the Amazon MSK clusters available in the selected AWS region:
aws kafka list-clusters --region us-east-1 --query 'ClusterInfoList[*].ClusterArn'
02 The command output should return an array with the requested cluster ARNs:
[ "arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab", "arn:aws:kafka:us-east-1:123456789012:cluster/cc-msk-app-cluster/aabbccdd-1234-aabb-1234-aabbccddaabb-cd" ]
03 Rundescribe-cluster command (OSX/Linux/UNIX) using the ARN of the Amazon MSK cluster that you want to examine as the identifier parameter and custom query filters to determine if unauthenticated access to the cluster brokers is enabled:
aws kafka describe-cluster --region us-east-1 --cluster-arn arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab --query 'ClusterInfo.ClientAuthentication.Unauthenticated.Enabled'
04 The command output should return the unauthenticated access status (true for enabled, false for disabled):
true
If the describe-cluster command output returns true, as shown in the output example above, the selected Amazon MSK cluster allows unrestricted access to the cluster's brokers.
05 Repeat steps no. 3 and 4 for each Amazon Managed Streaming for Kafka (MSK) cluster available in the selected AWS region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.
Remediation / Resolution
To turn off unrestricted access to the Apache Kafka brokers, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Disable Unrestricted Access", "Resources": { "MSKCluster": { "Type": "AWS::MSK::Cluster", "Properties": { "ClusterName": "cc-production-msk-cluster", "KafkaVersion": "3.4.0", "NumberOfBrokerNodes": 2, "BrokerNodeGroupInfo": { "BrokerAZDistribution": "DEFAULT", "ClientSubnets": [ "subnet-0abcd1234abcd1234", "subnet-01234abcd1234abcd" ], "InstanceType": "kafka.m5.large", "SecurityGroups": [ "sg-0abcd1234abcd1234" ], "StorageInfo": { "EbsStorageInfo": { "VolumeSize": 500 } } }, "EncryptionInfo": { "EncryptionInTransit": { "InCluster": true, "ClientBroker": "TLS" } }, "ClientAuthentication": { "Tls": { "Enabled": true, "CertificateAuthorityArnList": [ "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcdabcd-1234-1234-1234-abcdabcdabcd" ] }, "Unauthenticated": { "Enabled": false } } } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Disable Unrestricted Access Resources: MSKCluster: Type: AWS::MSK::Cluster Properties: ClusterName: cc-production-msk-cluster KafkaVersion: 3.4.0 NumberOfBrokerNodes: 2 BrokerNodeGroupInfo: BrokerAZDistribution: DEFAULT ClientSubnets: - subnet-0abcd1234abcd1234 - subnet-01234abcd1234abcd InstanceType: kafka.m5.large SecurityGroups: - sg-0abcd1234abcd1234 StorageInfo: EbsStorageInfo: VolumeSize: 500 EncryptionInfo: EncryptionInTransit: InCluster: true ClientBroker: TLS ClientAuthentication: Tls: Enabled: true CertificateAuthorityArnList: - arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcdabcd-1234-1234-1234-abcdabcdabcd Unauthenticated: Enabled: false
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_msk_cluster" "msk-cluster" { cluster_name = "cc-production-msk-cluster" kafka_version = "3.4.0" number_of_broker_nodes = 2 broker_node_group_info { instance_type = "kafka.m5.large" client_subnets = ["subnet-0abcd1234abcd1234","subnet-01234abcd1234abcd"] storage_info { ebs_storage_info { volume_size = 500 } } security_groups = ["sg-0abcd1234abcd1234"] } encryption_info { encryption_in_transit { in_cluster = true client_broker = "TLS" } } client_authentication { tls { certificate_authority_arns = ["arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcdabcd-1234-1234-1234-abcdabcdabcd"] } # Disable Unrestricted Access unauthenticated = false } }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon MSK console at https://console.aws.amazon.com/msk.
03 In the main navigation panel, underMSK Clusters, choose Clusters.
04 Click on the name (link) of the cluster that you want to reconfigure.
05 Select the Properties tab and choose Edit from the Security settings section to modify the access control methods available for the selected cluster.
06 In the Security settings configuration section, deselect the Unauthenticated access checkbox to turn off unrestricted access to the cluster brokers and make sure that at least one of the following authentication methods are selected from Access control methods: IAM role-based authentication, SASL/SCRAM authentication, and/or mutual TLS authentication. Choose Save changes to apply the changes.
07 Repeat steps no. 4 – 6 for each Amazon MSK cluster that you want to reconfigure, available within the current AWS region.
08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.
Using AWS CLI
01 Runupdate-security command (OSX/Linux/UNIX) using the ARN of the Amazon MSK cluster that you want to reconfigure as the identifier parameter, to update the security settings for the selected cluster in order to disable unrestricted access to the cluster's brokers:
aws kafka update-security --region us-east-1 --cluster-arn arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab --current-version ABCDABCDABCDAD --client-authentication 'Unauthenticated={Enabled=false}'
02 The output should return the **update-security** command request metadata:
{ "ClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab", "ClusterOperationArn": "arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab/123456789012" }
03 Once the unrestricted access to the cluster brokers is disabled, ensure that at least one of the following authentication methods are enabled for your MSK cluster: IAM role-based authentication, SASL/SCRAM authentication, and/or mutual TLS authentication.
04 Repeat steps no. 1 – 3 for each Amazon MSK cluster that you want to reconfigure, available in the selected AWS region.
05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the Remediation process for other regions.
References
- AWS Documentation
- Amazon MSK FAQs
- Security in Amazon Managed Streaming for Apache Kafka
- Authentication and authorization for Apache Kafka APIs
- AWS Command Line Interface (CLI) Documentation
- kafka
- list-clusters
- describe-cluster
- update-security