MSK Cluster Encryption Disabled

  • Query id: a976d63f-af0e-46e8-b714-8c1a9c4bf768
  • Query name: MSK Cluster Encryption Disabled
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Ensure MSK Cluster encryption in rest and transit is enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Description: MSK Cluster with all properties
Resources:
  TestCluster5:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: ClusterWithAllProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      EnhancedMonitoring: PER_BROKER
      OpenMonitoring:
        Prometheus:
          JmxExporter:
            EnabledInBroker: "true"
          NodeExporter:
            EnabledInBroker: "true"
      ConfigurationInfo:
        Arn: ReplaceWithConfigurationArn
        Revision: 1
      ClientAuthentication:
        Tls:
          CertificateAuthorityArnList:
            - ReplaceWithCAArn
      Tags:
        Environment: Test
        Owner: QATeam
      BrokerNodeGroupInfo:
        BrokerAZDistribution: DEFAULT
        InstanceType: kafka.m5.large
        SecurityGroups:
          - ReplaceWithSecurityGroupId
        StorageInfo:
          EBSStorageInfo:
            VolumeSize: 100
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3
Positive test num. 2 - yaml file
Description: MSK Cluster with all properties
Resources:
  TestCluster6:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: ClusterWithAllProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      EnhancedMonitoring: PER_BROKER
      EncryptionInfo:
        EncryptionAtRest:
          DataVolumeKMSKeyId: ReplaceWithKmsKeyArn
        EncryptionInTransit:
          ClientBroker: PLAINTEXT
      OpenMonitoring:
        Prometheus:
          JmxExporter:
            EnabledInBroker: "true"
          NodeExporter:
            EnabledInBroker: "true"
      ConfigurationInfo:
        Arn: ReplaceWithConfigurationArn
        Revision: 1
      ClientAuthentication:
        Tls:
          CertificateAuthorityArnList:
            - ReplaceWithCAArn
      Tags:
        Environment: Test
        Owner: QATeam
      BrokerNodeGroupInfo:
        BrokerAZDistribution: DEFAULT
        InstanceType: kafka.m5.large
        SecurityGroups:
          - ReplaceWithSecurityGroupId
        StorageInfo:
          EBSStorageInfo:
            VolumeSize: 100
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3
Positive test num. 3 - yaml file
Description: MSK Cluster with all properties
Resources:
  TestCluster7:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: ClusterWithAllProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      EnhancedMonitoring: PER_BROKER
      EncryptionInfo:
        EncryptionAtRest:
          DataVolumeKMSKeyId: ReplaceWithKmsKeyArn
        EncryptionInTransit:
          InCluster: false
      OpenMonitoring:
        Prometheus:
          JmxExporter:
            EnabledInBroker: "true"
          NodeExporter:
            EnabledInBroker: "true"
      ConfigurationInfo:
        Arn: ReplaceWithConfigurationArn
        Revision: 1
      ClientAuthentication:
        Tls:
          CertificateAuthorityArnList:
            - ReplaceWithCAArn
      Tags:
        Environment: Test
        Owner: QATeam
      BrokerNodeGroupInfo:
        BrokerAZDistribution: DEFAULT
        InstanceType: kafka.m5.large
        SecurityGroups:
          - ReplaceWithSecurityGroupId
        StorageInfo:
          EBSStorageInfo:
            VolumeSize: 100
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3

Positive test num. 4 - json file
{
  "Description": "MSK Cluster with all properties",
  "Resources": {
    "TestCluster8": {
      "Type": "AWS::MSK::Cluster",
      "Properties": {
        "ClusterName": "ClusterWithAllProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3,
        "EnhancedMonitoring": "PER_BROKER",
        "OpenMonitoring": {
          "Prometheus": {
            "JmxExporter": {
              "EnabledInBroker": "true"
            },
            "NodeExporter": {
              "EnabledInBroker": "true"
            }
          }
        },
        "ConfigurationInfo": {
          "Arn": "ReplaceWithConfigurationArn",
          "Revision": 1
        },
        "ClientAuthentication": {
          "Tls": {
            "CertificateAuthorityArnList": [
              "ReplaceWithCAArn"
            ]
          }
        },
        "Tags": {
          "Environment": "Test",
          "Owner": "QATeam"
        },
        "BrokerNodeGroupInfo": {
          "BrokerAZDistribution": "DEFAULT",
          "InstanceType": "kafka.m5.large",
          "SecurityGroups": [
            "ReplaceWithSecurityGroupId"
          ],
          "StorageInfo": {
            "EBSStorageInfo": {
              "VolumeSize": 100
            }
          },
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ]
        }
      }
    }
  }
}
Positive test num. 5 - json file
{
  "Description": "MSK Cluster with all properties",
  "Resources": {
    "TestCluster9": {
      "Type": "AWS::MSK::Cluster",
      "Properties": {
        "ClusterName": "ClusterWithAllProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3,
        "EnhancedMonitoring": "PER_BROKER",
        "EncryptionInfo": {
          "EncryptionAtRest": {
            "DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn"
          },
          "EncryptionInTransit": {
            "ClientBroker": "PLAINTEXT"
          }
        },
        "OpenMonitoring": {
          "Prometheus": {
            "JmxExporter": {
              "EnabledInBroker": "true"
            },
            "NodeExporter": {
              "EnabledInBroker": "true"
            }
          }
        },
        "ConfigurationInfo": {
          "Arn": "ReplaceWithConfigurationArn",
          "Revision": 1
        },
        "ClientAuthentication": {
          "Tls": {
            "CertificateAuthorityArnList": [
              "ReplaceWithCAArn"
            ]
          }
        },
        "Tags": {
          "Environment": "Test",
          "Owner": "QATeam"
        },
        "BrokerNodeGroupInfo": {
          "BrokerAZDistribution": "DEFAULT",
          "InstanceType": "kafka.m5.large",
          "SecurityGroups": [
            "ReplaceWithSecurityGroupId"
          ],
          "StorageInfo": {
            "EBSStorageInfo": {
              "VolumeSize": 100
            }
          },
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ]
        }
      }
    }
  }
}
Positive test num. 6 - json file
{
  "Description": "MSK Cluster with all properties",
  "Resources": {
    "TestCluster10": {
      "Type": "AWS::MSK::Cluster",
      "Properties": {
        "ClusterName": "ClusterWithAllProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3,
        "EnhancedMonitoring": "PER_BROKER",
        "EncryptionInfo": {
          "EncryptionAtRest": {
            "DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn"
          },
          "EncryptionInTransit": {
            "InCluster": "false"
          }
        },
        "OpenMonitoring": {
          "Prometheus": {
            "JmxExporter": {
              "EnabledInBroker": "true"
            },
            "NodeExporter": {
              "EnabledInBroker": "true"
            }
          }
        },
        "ConfigurationInfo": {
          "Arn": "ReplaceWithConfigurationArn",
          "Revision": 1
        },
        "ClientAuthentication": {
          "Tls": {
            "CertificateAuthorityArnList": [
              "ReplaceWithCAArn"
            ]
          }
        },
        "Tags": {
          "Environment": "Test",
          "Owner": "QATeam"
        },
        "BrokerNodeGroupInfo": {
          "BrokerAZDistribution": "DEFAULT",
          "InstanceType": "kafka.m5.large",
          "SecurityGroups": [
            "ReplaceWithSecurityGroupId"
          ],
          "StorageInfo": {
            "EBSStorageInfo": {
              "VolumeSize": 100
            }
          },
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ]
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Description: MSK Cluster with all properties
Resources:
  TestCluster:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: ClusterWithAllProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      EnhancedMonitoring: PER_BROKER
      EncryptionInfo:
        EncryptionAtRest:
          DataVolumeKMSKeyId: ReplaceWithKmsKeyArn
        EncryptionInTransit:
          ClientBroker: TLS
          InCluster: true
      OpenMonitoring:
        Prometheus:
          JmxExporter:
            EnabledInBroker: "true"
          NodeExporter:
            EnabledInBroker: "true"
      ConfigurationInfo:
        Arn: ReplaceWithConfigurationArn
        Revision: 1
      ClientAuthentication:
        Tls:
          CertificateAuthorityArnList:
            - ReplaceWithCAArn
      Tags:
        Environment: Test
        Owner: QATeam
      BrokerNodeGroupInfo:
        BrokerAZDistribution: DEFAULT
        InstanceType: kafka.m5.large
        SecurityGroups:
          - ReplaceWithSecurityGroupId
        StorageInfo:
          EBSStorageInfo:
            VolumeSize: 100
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3
Negative test num. 2 - yaml file
Description: MSK Cluster with all properties
Resources:
  TestCluster2:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: ClusterWithAllProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      EnhancedMonitoring: PER_BROKER
      EncryptionInfo:
        EncryptionAtRest:
          DataVolumeKMSKeyId: ReplaceWithKmsKeyArn
        EncryptionInTransit:
          ClientBroker: TLS
      OpenMonitoring:
        Prometheus:
          JmxExporter:
            EnabledInBroker: "true"
          NodeExporter:
            EnabledInBroker: "true"
      ConfigurationInfo:
        Arn: ReplaceWithConfigurationArn
        Revision: 1
      ClientAuthentication:
        Tls:
          CertificateAuthorityArnList:
            - ReplaceWithCAArn
      Tags:
        Environment: Test
        Owner: QATeam
      BrokerNodeGroupInfo:
        BrokerAZDistribution: DEFAULT
        InstanceType: kafka.m5.large
        SecurityGroups:
          - ReplaceWithSecurityGroupId
        StorageInfo:
          EBSStorageInfo:
            VolumeSize: 100
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3
Negative test num. 3 - json file
{
  "Description": "MSK Cluster with all properties",
  "Resources": {
    "TestCluster3": {
      "Type": "AWS::MSK::Cluster",
      "Properties": {
        "ClusterName": "ClusterWithAllProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3,
        "EnhancedMonitoring": "PER_BROKER",
        "EncryptionInfo": {
          "EncryptionAtRest": {
            "DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn"
          },
          "EncryptionInTransit": {
            "ClientBroker": "TLS",
            "InCluster": true
          }
        },
        "OpenMonitoring": {
          "Prometheus": {
            "JmxExporter": {
              "EnabledInBroker": "true"
            },
            "NodeExporter": {
              "EnabledInBroker": "true"
            }
          }
        },
        "ConfigurationInfo": {
          "Arn": "ReplaceWithConfigurationArn",
          "Revision": 1
        },
        "ClientAuthentication": {
          "Tls": {
            "CertificateAuthorityArnList": [
              "ReplaceWithCAArn"
            ]
          }
        },
        "Tags": {
          "Environment": "Test",
          "Owner": "QATeam"
        },
        "BrokerNodeGroupInfo": {
          "BrokerAZDistribution": "DEFAULT",
          "InstanceType": "kafka.m5.large",
          "SecurityGroups": [
            "ReplaceWithSecurityGroupId"
          ],
          "StorageInfo": {
            "EBSStorageInfo": {
              "VolumeSize": 100
            }
          },
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ]
        }
      }
    }
  }
}

Negative test num. 4 - json file
{
  "Description": "MSK Cluster with all properties",
  "Resources": {
    "TestCluster4": {
      "Type": "AWS::MSK::Cluster",
      "Properties": {
        "ClusterName": "ClusterWithAllProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3,
        "EnhancedMonitoring": "PER_BROKER",
        "EncryptionInfo": {
          "EncryptionAtRest": {
            "DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn"
          },
          "EncryptionInTransit": {
            "ClientBroker": "TLS"
          }
        },
        "OpenMonitoring": {
          "Prometheus": {
            "JmxExporter": {
              "EnabledInBroker": "true"
            },
            "NodeExporter": {
              "EnabledInBroker": "true"
            }
          }
        },
        "ConfigurationInfo": {
          "Arn": "ReplaceWithConfigurationArn",
          "Revision": 1
        },
        "ClientAuthentication": {
          "Tls": {
            "CertificateAuthorityArnList": [
              "ReplaceWithCAArn"
            ]
          }
        },
        "Tags": {
          "Environment": "Test",
          "Owner": "QATeam"
        },
        "BrokerNodeGroupInfo": {
          "BrokerAZDistribution": "DEFAULT",
          "InstanceType": "kafka.m5.large",
          "SecurityGroups": [
            "ReplaceWithSecurityGroupId"
          ],
          "StorageInfo": {
            "EBSStorageInfo": {
              "VolumeSize": 100
            }
          },
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ]
        }
      }
    }
  }
}