MSK Broker Is Publicly Accessible
- Query id: 54378d69-dd7c-4b08-a43e-80d563396857
- Query name: MSK Broker Is Publicly Accessible
- Platform: Terraform
- Severity: High
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_msk_cluster" "positive1" {
cluster_name = "example"
kafka_version = "2.7.1"
number_of_broker_nodes = 3
broker_node_group_info {
connectivity_info {
public_access {
type = "SERVICE_PROVIDED_EIPS"
}
}
instance_type = "kafka.m5.4xlarge"
client_subnets = [
aws_subnet.subnet_az1.id,
aws_subnet.subnet_az2.id,
aws_subnet.subnet_az3.id,
]
storage_info {
ebs_storage_info {
provisioned_throughput {
enabled = true
volume_throughput = 250
}
volume_size = 1000
}
}
security_groups = [aws_security_group.sg.id]
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_msk_cluster" "negative1" {
cluster_name = "example"
kafka_version = "2.7.1"
number_of_broker_nodes = 3
broker_node_group_info {
connectivity_info {
public_access {
type = "DISABLED"
}
}
instance_type = "kafka.m5.4xlarge"
client_subnets = [
aws_subnet.subnet_az1.id,
aws_subnet.subnet_az2.id,
aws_subnet.subnet_az3.id,
]
storage_info {
ebs_storage_info {
provisioned_throughput {
enabled = true
volume_throughput = 250
}
volume_size = 1000
}
}
security_groups = [aws_security_group.sg.id]
}
}
Negative test num. 2 - tf file
resource "aws_msk_cluster" "negative2" {
cluster_name = "example"
kafka_version = "2.7.1"
number_of_broker_nodes = 3
broker_node_group_info {
instance_type = "kafka.m5.4xlarge"
client_subnets = [
aws_subnet.subnet_az1.id,
aws_subnet.subnet_az2.id,
aws_subnet.subnet_az3.id,
]
storage_info {
ebs_storage_info {
provisioned_throughput {
enabled = true
volume_throughput = 250
}
volume_size = 1000
}
}
security_groups = [aws_security_group.sg.id]
}
}