MSK Broker Is Publicly Accessible

  • Query id: 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab
  • Query name: MSK Broker Is Publicly Accessible
  • Platform: CloudFormation
  • Severity: High
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
  TestCluster:
    Type: "AWS::MSK::Cluster"
    Properties:
      ClusterName: ClusterWithRequiredProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      BrokerNodeGroupInfo:
        InstanceType: kafka.m5.large
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3
        ConnectivityInfo:
          PublicAccess:
            Type: SERVICE_PROVIDED_EIPS
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "MSK Cluster with required properties.",
  "Resources": {
    "TestCluster": {
      "Properties": {
        "BrokerNodeGroupInfo": {
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ],
          "ConnectivityInfo": {
            "PublicAccess": {
              "Type": "SERVICE_PROVIDED_EIPS"
            }
          },
          "InstanceType": "kafka.m5.large"
        },
        "ClusterName": "ClusterWithRequiredProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3
      },
      "Type": "AWS::MSK::Cluster"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
  TestCluster0:
    Type: "AWS::MSK::Cluster"
    Properties:
      ClusterName: ClusterWithRequiredProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      BrokerNodeGroupInfo:
        InstanceType: kafka.m5.large
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "MSK Cluster with required properties.",
  "Resources": {
    "TestCluster": {
      "Properties": {
        "BrokerNodeGroupInfo": {
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ],
          "ConnectivityInfo": {
            "PublicAccess": {
              "Type": "DISABLED"
            }
          },
          "InstanceType": "kafka.m5.large"
        },
        "ClusterName": "ClusterWithRequiredProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3
      },
      "Type": "AWS::MSK::Cluster"
    }
  }
}