Ensure that your Amazon MSK clusters are configured to use mutual TLS (mTLS) authentication in order to allow only trusted clients to connect to your Apache Kafka clusters using Transport Layer Security (TLS) certificates.
Amazon Managed Streaming for Kafka (MSK) is a fully managed AWS cloud service that enables you to migrate, build, and run real-time streaming applications on Apache Kafka. TLS certificate-based authentication caters well for automation use cases such as enabling Amazon EC2 instances to connect to Amazon MSK clusters that work with production and business-critical data.
Audit
To determine if mutual TLS authentication is enabled for your Amazon MSK clusters, perform the following operations:
Remediation / Resolution
To enable mutual TLS authentication with TLS certificates for your Amazon MSK clusters, perform the following operations:
Note: AWS recommends using independent ACM PCAs for each MSK cluster when you use mutual TLS to control access. Doing so will ensure that TLS certificates signed by PCAs only authenticate with a single MSK cluster.References
- AWS Documentation
- Amazon MSK FAQs
- Mutual TLS authentication
- Procedure for creating a CA (console)
- Procedure for creating a CA (CLI)
- Updating security settings of a cluster
- Introducing mutual TLS authentication for Amazon MSK as an event source
- AWS Command Line Interface (CLI) Documentation
- kafka
- list-clusters
- describe-cluster
- update-security
- acm-pca
- create-certificate-authority
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Mutual TLS Authentication for Kafka Clients
Risk Level: Medium