Skip to content

A MSK cluster allows unencrypted data in transit.

Default Severity: high

Explanation

Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.

Possible Impact

Intercepted data can be read in transit

Suggested Resolution

Enable in transit encryption

Insecure Example

The following example will fail the aws-msk-enable-in-transit-encryption check.

 resource "aws_msk_cluster" "bad_example" {
    encryption_info {
        encryption_in_transit {
            client_broker = "TLS_PLAINTEXT"
            in_cluster = true
        }
    }
 }

Secure Example

The following example will pass the aws-msk-enable-in-transit-encryption check.

 resource "aws_msk_cluster" "good_example" {
    encryption_info {
        encryption_in_transit {
            client_broker = "TLS"
            in_cluster = true
        }
    }
 }