AWS MSK cluster encryption in transit is not enabled
Description
This policy identifies AWS Managed Streaming for Apache Kafka clusters having in-transit encryption in a disabled state.
In-transit encryption secures data while it's being transferred between brokers. Without it, there's a risk of data interception during transit.
It is recommended to enable in-transit encryption among brokers within the cluster. This ensures that all data exchanged within the cluster is encrypted, effectively protecting it from potential eavesdropping and unauthorized access.
Code Example
go
resource "aws_msk_cluster" "example" {
cluster_name = "example"
...
+ encryption_info {
+ encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn
+
+ encryption_in_transit {
+ client_broker = "TLS"
+ in_cluster = true
+ }
+ }
...
}Remediation
Terraform
To fix this issue, ensure that the `encryption_info` property in the `aws_msk_cluster` resource includes `encryption_in_transit` settings with `client_broker` set to `TLS` and `in_cluster` set to `true`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0134 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_81 |