- Knowledge Base
- Amazon Web Services
- Amazon Managed Streaming for Apache Kafka
- Publicly Accessible Clusters
Ensure that your Amazon Managed Streaming for Kafka (MSK) clusters are not publicly accessible from the Internet to avoid exposing sensitive and confidential data, and minimize security risks. Trend Cloud One™ – Conformity strongly recommends to keep your Amazon MSK clusters privately (i.e. accessible only from inside the cluster's VPC).
When your Amazon MSK clusters are publicly accessible, anyone on the Internet can establish a connection to the Apache Kafka brokers running within the MSK clusters and this can increase the opportunity for malicious activities such as Denial of Service (DoS) attacks.
Audit
To determine if your Amazon Managed Streaming for Kafka (MSK) clusters are publicly accessible, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon MSK console at https://console.aws.amazon.com/msk.
03 In the main navigation panel, underMSK Clusters, choose Clusters.
04 Click on the name (link) of the cluster that you want to examine, available in the Cluster name column.
05 Select the Properties tab to access the configuration information available for the selected cluster.
06 In the Networking settings section, check the Public access attribute value. If the Public access value is set to On, the selected Amazon Managed Streaming for Kafka (MSK) cluster is publicly accessible.
07 Repeat steps no. 4 – 6 for each Amazon Managed Streaming for Kafka (MSK) cluster available within the current AWS region.
08 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other regions.
Using AWS CLI
01 Runlist-clusters command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of the Amazon MSK clusters available in the selected AWS region:
aws kafka list-clusters --region us-east-1 --query 'ClusterInfoList[*].ClusterArn'
02 The command output should return an array with the requested cluster ARNs:
[ "arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab", "arn:aws:kafka:us-east-1:123456789012:cluster/cc-msk-app-cluster/aabbccdd-1234-aabb-1234-aabbccddaabb-cd" ]
03 Run describe-cluster command (OSX/Linux/UNIX) using the ARN of the Amazon MSK cluster that you want to examine as the identifier parameter and custom query filters to describe the public access control configuration available for cluster brokers:
aws kafka describe-cluster --region us-east-1 --cluster-arn arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab --query 'ClusterInfo.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type'
04 The command output should return the requested configuration information:
"SERVICE_PROVIDED_EIPS"
If the describe-cluster command output returns "SERVICE_PROVIDED_EIPS", as shown in the output example above, the cluster brokers are accessible from the Internet, therefore the selected Amazon MSK cluster is publicly accessible.
05 Repeat steps no. 3 and 4 for each Amazon Managed Streaming for Kafka (MSK) cluster provisioned in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.
Remediation / Resolution
To turn off public access to the Apache Kafka brokers running within your Amazon MSK clusters, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Disable Public Access", "Resources": { "MSKCluster": { "Type": "AWS::MSK::Cluster", "Properties": { "ClusterName": "cc-production-msk-cluster", "KafkaVersion": "3.4.0", "NumberOfBrokerNodes": 2, "EncryptionInfo": { "EncryptionInTransit": { "InCluster": true, "ClientBroker": "TLS" } }, "BrokerNodeGroupInfo": { "BrokerAZDistribution": "DEFAULT", "ClientSubnets": [ "subnet-0abcd1234abcd1234", "subnet-01234abcd1234abcd" ], "InstanceType": "kafka.m5.large", "SecurityGroups": [ "sg-0abcd1234abcd1234" ], "StorageInfo": { "EbsStorageInfo": { "VolumeSize": 500 } }, "ConnectivityInfo": { "PublicAccess": { "Type": "DISABLED" } } } } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Disable Public Access Resources: MSKCluster: Type: AWS::MSK::Cluster Properties: ClusterName: cc-production-msk-cluster KafkaVersion: 3.4.0 NumberOfBrokerNodes: 2 EncryptionInfo: EncryptionInTransit: InCluster: true ClientBroker: TLS BrokerNodeGroupInfo: BrokerAZDistribution: DEFAULT ClientSubnets: - subnet-0abcd1234abcd1234 - subnet-01234abcd1234abcd InstanceType: kafka.m5.large SecurityGroups: - sg-0abcd1234abcd1234 StorageInfo: EbsStorageInfo: VolumeSize: 500 ConnectivityInfo: PublicAccess: Type: DISABLED
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_msk_cluster" "msk-cluster" { cluster_name = "cc-production-msk-cluster" kafka_version = "3.4.0" number_of_broker_nodes = 2 encryption_info { encryption_in_transit { in_cluster = true client_broker = "TLS" } } broker_node_group_info { instance_type = "kafka.m5.large" client_subnets = ["subnet-0abcd1234abcd1234","subnet-01234abcd1234abcd"] storage_info { ebs_storage_info { volume_size = 500 } } security_groups = ["sg-0abcd1234abcd1234"] # Disable Public Access connectivity_info { public_access { type = "DISABLED" } } } }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon MSK console at https://console.aws.amazon.com/msk.
03 In the main navigation panel, underMSK Clusters, choose Clusters.
04 Click on the name (link) of the cluster that you want to reconfigure.
05 Select the Properties tab and choose Edit public access from the Networking settings section to modify the network configuration settings available for the selected cluster.
06 On the Edit public access for <cluster-name>
page, deselect the Turn on checkbox available under Public access to disable public access to the selected Amazon MSK cluster and make it accessible only from inside the cluster's VPC. Choose Save changes to apply the configuration changes.
07 Repeat steps no. 4 – 6 to turn off public access for other Amazon MSK clusters available within the current AWS region.
08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.
Using AWS CLI
01 Run update-connectivity command (OSX/Linux/UNIX) using the ARN of the Amazon Managed Streaming for Kafka (MSK) cluster that you want to reconfigure as the identifier parameter, to turn off public access to the Apache Kafka brokers running within the selected cluster:
aws kafka update-connectivity --cluster-arn arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab --current-version ABCDABCDABCDA --connectivity-info '{"PublicAccess": {"Type": "DISABLED"}}'
02 The output should return the update-connectivitycommand request metadata:
{ "ClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab", "ClusterOperationArn": "arn:aws:kafka:us-east-1:123456789012:cluster-operation/cc-kafka-cluster/abcd1234-abcd-1234-abcd-1234abcd1234-ab/1234abcd-1234-abcd-1234-abcd1234abcd" }
03 Repeat steps no. 1 and 2 to disable public access for other Amazon MSK clusters provisioned in the current AWS region.
04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.
References
- AWS Documentation
- Amazon MSK FAQs
- Connecting to an Amazon MSK cluster
- Public access
- AWS Command Line Interface (CLI) Documentation
- kafka
- list-clusters
- describe-cluster
- update-connectivity