MSK nodes are not private
Description
This policy is checking if Managed Stream for Kafka (MSK) nodes are set to private in AWS. The policy falls under the networking category. MSK nodes should be private for enhanced security and data protection. If these nodes are set to public, it increases the risk of unauthorized access and potential data breaches, as it allows anyone on the internet to interact with these nodes. Therefore, this policy is designed to ensure that your MSK nodes are not publicly accessible, prioritizing your data security.
Code Example
go
resource "aws_msk_cluster" "example" {
cluster_name = "example-cluster"
kafka_version = "2.6.0"
number_of_broker_nodes = 3
broker_node_group_info {
instance_type = "kafka.m5.large"
connectivity_info {
public_access {
+ type = "DISABLED"
}
}
}
}Remediation
Terraform
- Resource: aws_msk_cluster
- Arguments: broker_node_group_info.connectivity_info.public_access.type
To fix this issue, you should ensure that your MSK cluster configuration does not include public access. Below is an example of how to set this property in a Terraform configuration:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0339 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | Terraform, TerraformPlan, CloudFormation |
| Checkov ID | CKV_AWS_291 |