MSK Cluster Encryption Disabled
- Query id: 6db52fa6-d4da-4608-908a-89f0c59e743e
- Query name: MSK Cluster Encryption Disabled
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
Ensure MSK Cluster encryption in rest and transit is enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_msk_cluster" "positive1" {
cluster_name = "example"
kafka_version = "2.4.1"
number_of_broker_nodes = 3
}
resource "aws_msk_cluster" "positive2" {
cluster_name = "example"
kafka_version = "2.4.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "PLAINTEXT"
}
}
}
resource "aws_msk_cluster" "positive3" {
cluster_name = "example"
kafka_version = "2.4.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
in_cluster = false
}
}
}
resource "aws_msk_cluster" "positive4" {
cluster_name = "example"
kafka_version = "2.4.1"
number_of_broker_nodes = 3
encryption_info {
encryption_in_transit {
client_broker = "PLAINTEXT"
in_cluster = false
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_msk_cluster" "negative1" {
encryption_info {
encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn
}
}
resource "aws_msk_cluster" "negative2" {
encryption_info {
encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn
encryption_in_transit {
client_broker = "TLS"
in_cluster = true
}
}
}
resource "aws_msk_cluster" "negative3" {
encryption_info {
encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn
encryption_in_transit {
client_broker = "TLS"
}
}
}
resource "aws_msk_cluster" "negative4" {
encryption_info {
encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn
encryption_in_transit {
in_cluster = true
}
}
}