Amazon MSK cluster logging is not enabled
Description
Amazon MSK enables you to build and run applications that use Apache Kafka to process streaming data. It also provides a control-plane for advanced operations, for example, creating, updating, and deleting clusters. Consistent cluster logging helps you determine if a request was made with root or AWS Identity and Access Management (IAM) user credentials and whether the request was made with temporary security credentials for a role or federated user.
Code Example
{
"{
"BrokerLogs": {
"S3": {
"Bucket": "ExampleBucketName",
"Prefix": "ExamplePrefix",
"Enabled": true
},
"Firehose": {
"DeliveryStream": "ExampleDeliveryStreamName",
"Enabled": true
},
"CloudWatchLogs": {
"Enabled": true,
"LogGroup": "ExampleLogGroupName"
}
}
}
",
}Remediation
AWS Console*
New Cluster*:
. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
. Open the https://console.aws.amazon.com/msk/ [Amazon MSK console].
. Go to * Broker Log Delivery* in the * Monitoring **section.
. Specify the destinations to which you want Amazon MSK to deliver your broker logs. +
- Existing Cluster*:
. In the https://console.aws.amazon.com/msk/ [Amazon MSK console] choose the cluster from your list of clusters.
. Go to the *Details *tab. + Scroll down to the * Monitoring * section and click * Edit.
. Specify the destinations to which you want Amazon MSK to deliver your broker logs.
- CLI Command*
When you use the https://docs.aws.amazon.com/cli/latest/reference/kafka/create-cluster.html [create-cluster] or the https://docs.aws.amazon.com/cli/latest/reference/kafka/update-monitoring.html [update-monitoring] commands, you can optionally specify the logging-info parameter and pass to it a JSON structure. In this JSON, all three destination types are optional.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0133 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_80 |