MSK Cluster Encryption Disabled
- Query id: a976d63f-af0e-46e8-b714-8c1a9c4bf768
- Query name: MSK Cluster Encryption Disabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
Ensure MSK Cluster encryption in rest and transit is enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Description: MSK Cluster with all properties
Resources:
TestCluster5:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithAllProperties
KafkaVersion: 2.2.1
NumberOfBrokerNodes: 3
EnhancedMonitoring: PER_BROKER
OpenMonitoring:
Prometheus:
JmxExporter:
EnabledInBroker: "true"
NodeExporter:
EnabledInBroker: "true"
ConfigurationInfo:
Arn: ReplaceWithConfigurationArn
Revision: 1
ClientAuthentication:
Tls:
CertificateAuthorityArnList:
- ReplaceWithCAArn
Tags:
Environment: Test
Owner: QATeam
BrokerNodeGroupInfo:
BrokerAZDistribution: DEFAULT
InstanceType: kafka.m5.large
SecurityGroups:
- ReplaceWithSecurityGroupId
StorageInfo:
EBSStorageInfo:
VolumeSize: 100
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Positive test num. 2 - yaml file
Description: MSK Cluster with all properties
Resources:
TestCluster6:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithAllProperties
KafkaVersion: 2.2.1
NumberOfBrokerNodes: 3
EnhancedMonitoring: PER_BROKER
EncryptionInfo:
EncryptionAtRest:
DataVolumeKMSKeyId: ReplaceWithKmsKeyArn
EncryptionInTransit:
ClientBroker: PLAINTEXT
OpenMonitoring:
Prometheus:
JmxExporter:
EnabledInBroker: "true"
NodeExporter:
EnabledInBroker: "true"
ConfigurationInfo:
Arn: ReplaceWithConfigurationArn
Revision: 1
ClientAuthentication:
Tls:
CertificateAuthorityArnList:
- ReplaceWithCAArn
Tags:
Environment: Test
Owner: QATeam
BrokerNodeGroupInfo:
BrokerAZDistribution: DEFAULT
InstanceType: kafka.m5.large
SecurityGroups:
- ReplaceWithSecurityGroupId
StorageInfo:
EBSStorageInfo:
VolumeSize: 100
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Positive test num. 3 - yaml file
Description: MSK Cluster with all properties
Resources:
TestCluster7:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithAllProperties
KafkaVersion: 2.2.1
NumberOfBrokerNodes: 3
EnhancedMonitoring: PER_BROKER
EncryptionInfo:
EncryptionAtRest:
DataVolumeKMSKeyId: ReplaceWithKmsKeyArn
EncryptionInTransit:
InCluster: false
OpenMonitoring:
Prometheus:
JmxExporter:
EnabledInBroker: "true"
NodeExporter:
EnabledInBroker: "true"
ConfigurationInfo:
Arn: ReplaceWithConfigurationArn
Revision: 1
ClientAuthentication:
Tls:
CertificateAuthorityArnList:
- ReplaceWithCAArn
Tags:
Environment: Test
Owner: QATeam
BrokerNodeGroupInfo:
BrokerAZDistribution: DEFAULT
InstanceType: kafka.m5.large
SecurityGroups:
- ReplaceWithSecurityGroupId
StorageInfo:
EBSStorageInfo:
VolumeSize: 100
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Positive test num. 4 - json file
{
"Description": "MSK Cluster with all properties",
"Resources": {
"TestCluster8": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithAllProperties",
"KafkaVersion": "2.2.1",
"NumberOfBrokerNodes": 3,
"EnhancedMonitoring": "PER_BROKER",
"OpenMonitoring": {
"Prometheus": {
"JmxExporter": {
"EnabledInBroker": "true"
},
"NodeExporter": {
"EnabledInBroker": "true"
}
}
},
"ConfigurationInfo": {
"Arn": "ReplaceWithConfigurationArn",
"Revision": 1
},
"ClientAuthentication": {
"Tls": {
"CertificateAuthorityArnList": [
"ReplaceWithCAArn"
]
}
},
"Tags": {
"Environment": "Test",
"Owner": "QATeam"
},
"BrokerNodeGroupInfo": {
"BrokerAZDistribution": "DEFAULT",
"InstanceType": "kafka.m5.large",
"SecurityGroups": [
"ReplaceWithSecurityGroupId"
],
"StorageInfo": {
"EBSStorageInfo": {
"VolumeSize": 100
}
},
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}
Positive test num. 5 - json file
{
"Description": "MSK Cluster with all properties",
"Resources": {
"TestCluster9": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithAllProperties",
"KafkaVersion": "2.2.1",
"NumberOfBrokerNodes": 3,
"EnhancedMonitoring": "PER_BROKER",
"EncryptionInfo": {
"EncryptionAtRest": {
"DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn"
},
"EncryptionInTransit": {
"ClientBroker": "PLAINTEXT"
}
},
"OpenMonitoring": {
"Prometheus": {
"JmxExporter": {
"EnabledInBroker": "true"
},
"NodeExporter": {
"EnabledInBroker": "true"
}
}
},
"ConfigurationInfo": {
"Arn": "ReplaceWithConfigurationArn",
"Revision": 1
},
"ClientAuthentication": {
"Tls": {
"CertificateAuthorityArnList": [
"ReplaceWithCAArn"
]
}
},
"Tags": {
"Environment": "Test",
"Owner": "QATeam"
},
"BrokerNodeGroupInfo": {
"BrokerAZDistribution": "DEFAULT",
"InstanceType": "kafka.m5.large",
"SecurityGroups": [
"ReplaceWithSecurityGroupId"
],
"StorageInfo": {
"EBSStorageInfo": {
"VolumeSize": 100
}
},
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}
Positive test num. 6 - json file
{
"Description": "MSK Cluster with all properties",
"Resources": {
"TestCluster10": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithAllProperties",
"KafkaVersion": "2.2.1",
"NumberOfBrokerNodes": 3,
"EnhancedMonitoring": "PER_BROKER",
"EncryptionInfo": {
"EncryptionAtRest": {
"DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn"
},
"EncryptionInTransit": {
"InCluster": "false"
}
},
"OpenMonitoring": {
"Prometheus": {
"JmxExporter": {
"EnabledInBroker": "true"
},
"NodeExporter": {
"EnabledInBroker": "true"
}
}
},
"ConfigurationInfo": {
"Arn": "ReplaceWithConfigurationArn",
"Revision": 1
},
"ClientAuthentication": {
"Tls": {
"CertificateAuthorityArnList": [
"ReplaceWithCAArn"
]
}
},
"Tags": {
"Environment": "Test",
"Owner": "QATeam"
},
"BrokerNodeGroupInfo": {
"BrokerAZDistribution": "DEFAULT",
"InstanceType": "kafka.m5.large",
"SecurityGroups": [
"ReplaceWithSecurityGroupId"
],
"StorageInfo": {
"EBSStorageInfo": {
"VolumeSize": 100
}
},
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Description: MSK Cluster with all properties
Resources:
TestCluster:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithAllProperties
KafkaVersion: 2.2.1
NumberOfBrokerNodes: 3
EnhancedMonitoring: PER_BROKER
EncryptionInfo:
EncryptionAtRest:
DataVolumeKMSKeyId: ReplaceWithKmsKeyArn
EncryptionInTransit:
ClientBroker: TLS
InCluster: true
OpenMonitoring:
Prometheus:
JmxExporter:
EnabledInBroker: "true"
NodeExporter:
EnabledInBroker: "true"
ConfigurationInfo:
Arn: ReplaceWithConfigurationArn
Revision: 1
ClientAuthentication:
Tls:
CertificateAuthorityArnList:
- ReplaceWithCAArn
Tags:
Environment: Test
Owner: QATeam
BrokerNodeGroupInfo:
BrokerAZDistribution: DEFAULT
InstanceType: kafka.m5.large
SecurityGroups:
- ReplaceWithSecurityGroupId
StorageInfo:
EBSStorageInfo:
VolumeSize: 100
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Negative test num. 2 - yaml file
Description: MSK Cluster with all properties
Resources:
TestCluster2:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithAllProperties
KafkaVersion: 2.2.1
NumberOfBrokerNodes: 3
EnhancedMonitoring: PER_BROKER
EncryptionInfo:
EncryptionAtRest:
DataVolumeKMSKeyId: ReplaceWithKmsKeyArn
EncryptionInTransit:
ClientBroker: TLS
OpenMonitoring:
Prometheus:
JmxExporter:
EnabledInBroker: "true"
NodeExporter:
EnabledInBroker: "true"
ConfigurationInfo:
Arn: ReplaceWithConfigurationArn
Revision: 1
ClientAuthentication:
Tls:
CertificateAuthorityArnList:
- ReplaceWithCAArn
Tags:
Environment: Test
Owner: QATeam
BrokerNodeGroupInfo:
BrokerAZDistribution: DEFAULT
InstanceType: kafka.m5.large
SecurityGroups:
- ReplaceWithSecurityGroupId
StorageInfo:
EBSStorageInfo:
VolumeSize: 100
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Negative test num. 3 - json file
{
"Description": "MSK Cluster with all properties",
"Resources": {
"TestCluster3": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithAllProperties",
"KafkaVersion": "2.2.1",
"NumberOfBrokerNodes": 3,
"EnhancedMonitoring": "PER_BROKER",
"EncryptionInfo": {
"EncryptionAtRest": {
"DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn"
},
"EncryptionInTransit": {
"ClientBroker": "TLS",
"InCluster": true
}
},
"OpenMonitoring": {
"Prometheus": {
"JmxExporter": {
"EnabledInBroker": "true"
},
"NodeExporter": {
"EnabledInBroker": "true"
}
}
},
"ConfigurationInfo": {
"Arn": "ReplaceWithConfigurationArn",
"Revision": 1
},
"ClientAuthentication": {
"Tls": {
"CertificateAuthorityArnList": [
"ReplaceWithCAArn"
]
}
},
"Tags": {
"Environment": "Test",
"Owner": "QATeam"
},
"BrokerNodeGroupInfo": {
"BrokerAZDistribution": "DEFAULT",
"InstanceType": "kafka.m5.large",
"SecurityGroups": [
"ReplaceWithSecurityGroupId"
],
"StorageInfo": {
"EBSStorageInfo": {
"VolumeSize": 100
}
},
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}
Negative test num. 4 - json file
{
"Description": "MSK Cluster with all properties",
"Resources": {
"TestCluster4": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithAllProperties",
"KafkaVersion": "2.2.1",
"NumberOfBrokerNodes": 3,
"EnhancedMonitoring": "PER_BROKER",
"EncryptionInfo": {
"EncryptionAtRest": {
"DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn"
},
"EncryptionInTransit": {
"ClientBroker": "TLS"
}
},
"OpenMonitoring": {
"Prometheus": {
"JmxExporter": {
"EnabledInBroker": "true"
},
"NodeExporter": {
"EnabledInBroker": "true"
}
}
},
"ConfigurationInfo": {
"Arn": "ReplaceWithConfigurationArn",
"Revision": 1
},
"ClientAuthentication": {
"Tls": {
"CertificateAuthorityArnList": [
"ReplaceWithCAArn"
]
}
},
"Tags": {
"Environment": "Test",
"Owner": "QATeam"
},
"BrokerNodeGroupInfo": {
"BrokerAZDistribution": "DEFAULT",
"InstanceType": "kafka.m5.large",
"SecurityGroups": [
"ReplaceWithSecurityGroupId"
],
"StorageInfo": {
"EBSStorageInfo": {
"VolumeSize": 100
}
},
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}