Ensure MSK cluster encryption at rest and in transit is enabled

Error: MSK cluster encryption at rest and in transit is not enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_32
Checkov Check ID: CKV_AWS_81
Severity: MEDIUM

MSK cluster encryption at rest and in transit is not enabled

Description

Amazon MSK integrates with AWS Key Management Service (KMS) for server-side encryption. When you create an MSK cluster, you can specify the AWS KMS CMK for Amazon MSK to use to encrypt your data at rest. If you don't specify a CMK, Amazon MSK creates an AWS managed CMK for you and uses it on your behalf.

We recommend using encryption in transit and at rest to secure your managed Kafka queue.

Fix - Runtime

CLI Command

Run the create-cluster command and use the encryption-info option to point to the file where you saved your configuration JSON.

aws kafka create-cluster
--cluster-name "ExampleClusterName"
--broker-node-group-info file://brokernodegroupinfo.json
--encryption-info file://encryptioninfo.json
--kafka-version "2.2.1"
--number-of-broker-nodes 3

Fix - Buildtime

Terraform

  • Resource: aws_msk_cluster
  • Arguments: encryption_info - (Optional) Configuration block for specifying encryption.
    encryption_in_transit - (Optional) Configuration block to specify encryption in transit. See below.
resource "aws_msk_cluster" "example" {
  cluster_name           = "example"
  ...
    + encryption_info {
  +    encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn
  +   
    +    encryption_in_transit {
    +        client_broker = "TLS"
    +        in_cluster    = true 
  +     }
  + }
  ...
}

Did this page help you?