enable-in-transit-encryption
Default Severity: high
Explanation
Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.
Possible Impact
Intercepted data can be read in transit
Suggested Resolution
Enable in transit encryption
Insecure Example
The following example will fail the aws-msk-enable-in-transit-encryption check.
resource "aws_msk_cluster" "bad_example" {
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT"
in_cluster = true
}
}
}
Secure Example
The following example will pass the aws-msk-enable-in-transit-encryption check.
resource "aws_msk_cluster" "good_example" {
encryption_info {
encryption_in_transit {
client_broker = "TLS"
in_cluster = true
}
}
}