MSK Broker Is Publicly Accessible
- Query id: 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab
- Query name: MSK Broker Is Publicly Accessible
- Platform: CloudFormation
- Severity: High
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
TestCluster:
Type: "AWS::MSK::Cluster"
Properties:
ClusterName: ClusterWithRequiredProperties
KafkaVersion: 2.2.1
NumberOfBrokerNodes: 3
BrokerNodeGroupInfo:
InstanceType: kafka.m5.large
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
ConnectivityInfo:
PublicAccess:
Type: SERVICE_PROVIDED_EIPS
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "MSK Cluster with required properties.",
"Resources": {
"TestCluster": {
"Properties": {
"BrokerNodeGroupInfo": {
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
],
"ConnectivityInfo": {
"PublicAccess": {
"Type": "SERVICE_PROVIDED_EIPS"
}
},
"InstanceType": "kafka.m5.large"
},
"ClusterName": "ClusterWithRequiredProperties",
"KafkaVersion": "2.2.1",
"NumberOfBrokerNodes": 3
},
"Type": "AWS::MSK::Cluster"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
TestCluster0:
Type: "AWS::MSK::Cluster"
Properties:
ClusterName: ClusterWithRequiredProperties
KafkaVersion: 2.2.1
NumberOfBrokerNodes: 3
BrokerNodeGroupInfo:
InstanceType: kafka.m5.large
ClientSubnets:
- ReplaceWithSubnetId1
- ReplaceWithSubnetId2
- ReplaceWithSubnetId3
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "MSK Cluster with required properties.",
"Resources": {
"TestCluster": {
"Properties": {
"BrokerNodeGroupInfo": {
"ClientSubnets": [
"ReplaceWithSubnetId1",
"ReplaceWithSubnetId2",
"ReplaceWithSubnetId3"
],
"ConnectivityInfo": {
"PublicAccess": {
"Type": "DISABLED"
}
},
"InstanceType": "kafka.m5.large"
},
"ClusterName": "ClusterWithRequiredProperties",
"KafkaVersion": "2.2.1",
"NumberOfBrokerNodes": 3
},
"Type": "AWS::MSK::Cluster"
}
}
}