MSK Cluster Logging Disabled
- Query id: fc7c2c15-f5d0-4b80-adb2-c89019f8f62b
- Query name: MSK Cluster Logging Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- CWE: Ongoing
- URL: Github
Description¶
Ensure MSK Cluster Logging is enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
TestCluster5:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithRequiredProperties
KafkaVersion: 2.2.1
NumberOfBrokerNodes: 3
BrokerNodeGroupInfo:
InstanceType: kafka.m5.large
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
TestCluster6:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithRequiredProperties
KafkaVersion: 2.2.1
LoggingInfo:
BrokerLogs:
CloudWatchLogs:
Enabled: false
LogGroup: aws_cloudwatch_log_group.test.name
Firehose:
Enabled: false
LogGroup: firehose.test.name
S3:
Enabled: false
LogGroup: s3.test.name
NumberOfBrokerNodes: 3
BrokerNodeGroupInfo:
InstanceType: kafka.m5.large
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
TestCluster7:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithRequiredProperties
KafkaVersion: 2.2.1
LoggingInfo:
BrokerLogs:
CloudWatchLogs:
Enabled: false
LogGroup: aws_cloudwatch_log_group.test.name
NumberOfBrokerNodes: 3
BrokerNodeGroupInfo:
InstanceType: kafka.m5.large
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "MSK Cluster with required properties.",
"Resources": {
"TestCluster8": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithRequiredProperties",
"KafkaVersion": "2.2.1",
"NumberOfBrokerNodes": 3,
"BrokerNodeGroupInfo": {
"InstanceType": "kafka.m5.large",
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "MSK Cluster with required properties.",
"Resources": {
"TestCluster9": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithRequiredProperties",
"KafkaVersion": "2.2.1",
"LoggingInfo": {
"BrokerLogs": {
"CloudWatchLogs": {
"Enabled": false,
"LogGroup": "aws_cloudwatch_log_group.test.name"
},
"Firehose": {
"Enabled": false,
"LogGroup": "firehose.test.name"
},
"S3": {
"Enabled": false,
"LogGroup": "s3.test.name"
}
}
},
"NumberOfBrokerNodes": 3,
"BrokerNodeGroupInfo": {
"InstanceType": "kafka.m5.large",
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "MSK Cluster with required properties.",
"Resources": {
"TestCluster10": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithRequiredProperties",
"KafkaVersion": "2.2.1",
"LoggingInfo": {
"BrokerLogs": {
"CloudWatchLogs": {
"Enabled": false,
"LogGroup": "aws_cloudwatch_log_group.test.name"
}
}
},
"NumberOfBrokerNodes": 3,
"BrokerNodeGroupInfo": {
"InstanceType": "kafka.m5.large",
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
TestCluster:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithRequiredProperties
KafkaVersion: 2.2.1
LoggingInfo:
BrokerLogs:
CloudWatchLogs:
Enabled: true
LogGroup: aws_cloudwatch_log_group.test.name
NumberOfBrokerNodes: 3
BrokerNodeGroupInfo:
InstanceType: kafka.m5.large
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
TestCluster2:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: ClusterWithRequiredProperties
KafkaVersion: 2.2.1
LoggingInfo:
BrokerLogs:
CloudWatchLogs:
Enabled: false
LogGroup: aws_cloudwatch_log_group.test.name
S3:
Enabled: true
LogGroup: s3.test.name
NumberOfBrokerNodes: 3
BrokerNodeGroupInfo:
InstanceType: kafka.m5.large
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Negative test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "MSK Cluster with required properties.",
"Resources": {
"TestCluster3": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithRequiredProperties",
"KafkaVersion": "2.2.1",
"LoggingInfo": {
"BrokerLogs": {
"CloudWatchLogs": {
"Enabled": true,
"LogGroup": "aws_cloudwatch_log_group.test.name"
}
}
},
"NumberOfBrokerNodes": 3,
"BrokerNodeGroupInfo": {
"InstanceType": "kafka.m5.large",
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "MSK Cluster with required properties.",
"Resources": {
"TestCluster4": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"ClusterName": "ClusterWithRequiredProperties",
"KafkaVersion": "2.2.1",
"LoggingInfo": {
"BrokerLogs": {
"CloudWatchLogs": {
"Enabled": false,
"LogGroup": "aws_cloudwatch_log_group.test.name"
},
"S3": {
"Enabled": true,
"LogGroup": "s3.test.name"
}
}
},
"NumberOfBrokerNodes": 3,
"BrokerNodeGroupInfo": {
"InstanceType": "kafka.m5.large",
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
]
}
}
}
}
}