From 2f7eec8bca44d6576d692d9b2b3588bb697b881d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Mon, 15 Dec 2025 13:13:47 +0100 Subject: [PATCH] chore(aws): enhance metadata for `kafka` service (#9261) Co-authored-by: Daniel Barranquero --- prowler/CHANGELOG.md | 1 + ..._encryption_at_rest_uses_cmk.metadata.json | 37 ++++++++++------ ..._enhanced_monitoring_enabled.metadata.json | 38 ++++++++++------- ...n_transit_encryption_enabled.metadata.json | 38 ++++++++++------- .../kafka_cluster_is_public.metadata.json | 37 +++++++++------- ...l_tls_authentication_enabled.metadata.json | 41 +++++++++++------- ...unrestricted_access_disabled.metadata.json | 42 ++++++++++++------- ..._cluster_uses_latest_version.metadata.json | 37 +++++++++------- ...n_transit_encryption_enabled.metadata.json | 31 ++++++++------ 9 files changed, 189 insertions(+), 113 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 03eacc6693..a590361d40 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -11,6 +11,7 @@ All notable changes to the **Prowler SDK** are documented in this file. ### Changed - Update AWS Glue service metadata to new format [(#9258)](https://github.com/prowler-cloud/prowler/pull/9258) +- Update AWS Kafka service metadata to new format [(#9261)](https://github.com/prowler-cloud/prowler/pull/9261) --- diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.metadata.json b/prowler/providers/aws/services/kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.metadata.json index 9154bfd8d0..9472dcf3e9 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.metadata.json +++ b/prowler/providers/aws/services/kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.metadata.json @@ -1,31 +1,42 @@ { "Provider": "aws", "CheckID": "kafka_cluster_encryption_at_rest_uses_cmk", - "CheckTitle": "Ensure Kafka Cluster Encryption at Rest Uses Customer Managed Keys (CMK)", + "CheckTitle": "Kafka cluster has encryption at rest enabled with a customer managed key (CMK) or is serverless", "CheckType": [ - "Infrastructure Security" + "Software and Configuration Checks/AWS Security Best Practices/Data Encryption", + "Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Industry and Regulatory Standards/NIST 800-53 Controls (USA)", + "Industry and Regulatory Standards/PCI-DSS", + "Effects/Data Exposure" ], "ServiceName": "kafka", - "SubServiceName": "Kafka Cluster", - "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster", + "SubServiceName": "", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsMskCluster", - "Description": "Kafka Cluster data stored at rest should be encrypted using Customer Managed Keys (CMK) for enhanced security and control over the encryption process.", - "Risk": "Using default AWS-managed encryption keys might not meet certain compliance or regulatory requirements. With CMKs, you have more control over the encryption process and can rotate keys, define access policies, and enable key auditing.", - "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html", + "Description": "Amazon MSK clusters are inspected for **encryption at rest** using a **customer-managed KMS key** for data volumes. Serverless clusters are inherently encrypted. Provisioned clusters are recognized only when the configured `DataVolumeKMSKeyId` corresponds to a customer-managed key.", + "Risk": "Relying on service-managed keys weakens **confidentiality** and **accountability**: you can't enforce granular key policies, separation of duties, or independent rotation. This limits incident response (e.g., disabling the key for crypto-shredding) and reduces auditability, increasing impact of credential misuse or broker compromise.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/msk-encryption-at-rest-with-cmk.html", + "https://docs.aws.amazon.com/msk/latest/developerguide/msk-working-with-encryption.html" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/msk-encryption-at-rest-with-cmk.html", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_32/#terraform" + "NativeIaC": "```yaml\n# CloudFormation: MSK cluster using a customer managed KMS key for encryption at rest\nResources:\n :\n Type: AWS::MSK::Cluster\n Properties:\n ClusterName: \n KafkaVersion: \n NumberOfBrokerNodes: 2\n BrokerNodeGroupInfo:\n InstanceType: kafka.m5.large\n ClientSubnets:\n - \n - \n SecurityGroups:\n - \n EncryptionInfo:\n EncryptionAtRest:\n DataVolumeKMSKeyId: # Critical: use a customer managed KMS key ARN to enable CMK encryption at rest\n```", + "Other": "1. In the AWS Console, go to Amazon MSK > Clusters\n2. Click Create cluster\n3. Choose Provisioned (or choose Serverless to pass by default)\n4. In Encryption settings, for At-rest encryption, select Customer managed key and choose your CMK (not alias/aws/kafka)\n5. Create the cluster, migrate clients to it, then delete the old cluster that used the AWS managed key", + "Terraform": "```hcl\n# MSK cluster using a customer managed KMS key for encryption at rest\nresource \"aws_msk_cluster\" \"\" {\n cluster_name = \"\"\n kafka_version = \"\"\n number_of_broker_nodes = 2\n\n broker_node_group_info {\n instance_type = \"kafka.m5.large\"\n client_subnets = [\"\", \"\"]\n security_groups = [\"\"]\n }\n\n encryption_info {\n encryption_at_rest_kms_key_arn = \"\" # Critical: customer managed KMS key to pass the check\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended to use Customer Managed Keys (CMK) for Kafka Cluster encryption at rest to maintain control and flexibility over the encryption process.", - "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-working-with-encryption.html" + "Text": "Use a **customer-managed KMS key** for MSK at-rest encryption. Apply **least privilege** in key policies and grants, enable **key rotation**, and log key use for auditing. Enforce **separation of duties** between MSK admins and KMS key custodians, and regularly review access, aliases, and pending-deletion states.", + "Url": "https://hub.prowler.com/check/kafka_cluster_encryption_at_rest_uses_cmk" } }, - "Categories": [], + "Categories": [ + "encryption" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.metadata.json b/prowler/providers/aws/services/kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.metadata.json index 007644fa7c..197dce1a8b 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.metadata.json +++ b/prowler/providers/aws/services/kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.metadata.json @@ -1,29 +1,39 @@ { "Provider": "aws", "CheckID": "kafka_cluster_enhanced_monitoring_enabled", - "CheckTitle": "Ensure Enhanced Monitoring is Enabled for MSK (Kafka) Brokers", - "CheckType": [], + "CheckTitle": "Amazon MSK cluster has enhanced monitoring enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "kafka", - "SubServiceName": "cluster", - "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster", + "SubServiceName": "", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsMskCluster", - "Description": "Enhanced monitoring provides additional visibility into the performance and behavior of MSK (Kafka) brokers. By enabling enhanced monitoring, you can gain insights into potential issues and optimize the performance of your Kafka clusters.", - "Risk": "Without enhanced monitoring, you may have limited visibility into the performance and health of your MSK brokers, which could lead to undetected issues and potential performance degradation.", - "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/monitoring.html", + "Description": "**Amazon MSK clusters** are assessed for **enhanced monitoring** levels beyond `DEFAULT` (e.g., `PER_BROKER`, `PER_TOPIC_PER_BROKER`, `PER_TOPIC_PER_PARTITION`).\n\n*Serverless clusters* include enhanced monitoring by design; provisioned clusters are evaluated by their configured monitoring level.", + "Risk": "Insufficient metrics limit visibility into **broker health**, **replication state**, and **consumer lag**, delaying response to incidents.\n\nThis increases risk of **availability loss** (saturation, throttling) and can mask **integrity issues** such as under-replicated partitions, raising data-loss impact during failures.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/msk/latest/developerguide/metrics-details.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-enhanced-monitoring-for-apache-kafka-brokers.html#", + "https://docs.aws.amazon.com/msk/latest/developerguide/monitoring.html" + ], "Remediation": { "Code": { - "CLI": "aws kafka update-monitoring --region region_cluster --cluster-arn arn_cluster --current-version version_cluster --enhanced-monitoring PER_BROKER", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-enhanced-monitoring-for-apache-kafka-brokers.html#", - "Terraform": "" + "CLI": "aws kafka update-monitoring --cluster-arn --current-version --enhanced-monitoring PER_BROKER", + "NativeIaC": "```yaml\n# CloudFormation: Enable enhanced monitoring on an MSK cluster\nResources:\n :\n Type: AWS::MSK::Cluster\n Properties:\n ClusterName: \n KafkaVersion: \n NumberOfBrokerNodes: 2\n BrokerNodeGroupInfo:\n ClientSubnets:\n - \n - \n InstanceType: kafka.t3.small\n EnhancedMonitoring: PER_BROKER # Critical: sets enhanced monitoring above DEFAULT to pass the check\n```", + "Other": "1. Open the AWS Console and go to Amazon MSK\n2. Select your provisioned cluster\n3. Click Edit\n4. Under Monitoring, set Enhanced monitoring to PER_BROKER (or higher)\n5. Save changes and wait for the update to complete", + "Terraform": "```hcl\n# Terraform: Enable enhanced monitoring on an MSK cluster\nresource \"aws_msk_cluster\" \"\" {\n cluster_name = \"\"\n kafka_version = \"\"\n number_of_broker_nodes = 2\n\n broker_node_group_info {\n instance_type = \"kafka.t3.small\"\n client_subnets = [\"\", \"\"]\n }\n\n enhanced_monitoring = \"PER_BROKER\" # Critical: sets monitoring above DEFAULT to pass the check\n}\n```" }, "Recommendation": { - "Text": "It is recommended to enable enhanced monitoring for MSK (Kafka) brokers to gain deeper insights into the performance and behavior of your clusters.", - "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/metrics-details.html" + "Text": "Select an enhanced level (e.g., `PER_BROKER` or finer) and establish **observability**: prioritize telemetry for broker resources, replication health, and consumer lag. Configure alerts and dashboards aligned to SLOs to enable proactive scaling and rapid incident containment. *Balance granularity with cost*.", + "Url": "https://hub.prowler.com/check/kafka_cluster_enhanced_monitoring_enabled" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.metadata.json b/prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.metadata.json index 89270e2670..02948f20fc 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.metadata.json +++ b/prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.metadata.json @@ -1,31 +1,39 @@ { "Provider": "aws", "CheckID": "kafka_cluster_in_transit_encryption_enabled", - "CheckTitle": "Ensure Kafka Cluster Encryption in Transit is Enabled", + "CheckTitle": "Kafka cluster has encryption in transit enabled", "CheckType": [ - "Infrastructure Security" + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "ServiceName": "kafka", - "SubServiceName": "cluster", - "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster", - "Severity": "medium", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "AwsMskCluster", - "Description": "Kafka clusters should have encryption in transit enabled to protect data as it travels across the network. This ensures that data is encrypted when transmitted between clients and brokers, preventing unauthorized access or data breaches.", - "Risk": "If encryption in transit is not enabled, data transmitted over the network could be vulnerable to eavesdropping or man-in-the-middle attacks.", - "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html", + "Description": "**Amazon MSK clusters** are evaluated for **encryption in transit** on both paths: **clientbroker** set to `TLS` only and **inter-broker** encryption enabled. *Serverless clusters provide this by default*.\n\nThe finding highlights clusters where client-broker traffic isn't `TLS`-only or inter-broker encryption is turned off.", + "Risk": "Unencrypted or mixed (`TLS_PLAINTEXT`/`PLAINTEXT`) traffic enables interception of records, credentials, and metadata, supporting **MITM**, replay, and message tampering.\n\nPlaintext inter-broker links expose replication data within the VPC, enabling **lateral movement** and topic poisoning, degrading data **confidentiality** and **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html", + "https://docs.aws.amazon.com/msk/latest/developerguide/msk-working-with-encryption.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/encryption-in-transit-for-msk.html" + ], "Remediation": { "Code": { - "CLI": "aws kafka create-cluster --cluster-name --broker-node-group-info --encryption-info --kafka-version --number-of-broker-nodes ", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/encryption-in-transit-for-msk.html", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_32/#terraform" + "CLI": "", + "NativeIaC": "```yaml\n# CloudFormation: MSK cluster with encryption in transit enforced\nResources:\n :\n Type: AWS::MSK::Cluster\n Properties:\n ClusterName: \n KafkaVersion: \n NumberOfBrokerNodes: 3\n BrokerNodeGroupInfo:\n ClientSubnets:\n - \n - \n InstanceType: kafka.m5.large\n EncryptionInfo:\n EncryptionInTransit:\n ClientBroker: TLS # Critical: forces client-to-broker TLS only\n InCluster: true # Critical: enables inter-broker encryption\n```", + "Other": "1. In the AWS Console, go to Amazon MSK > Clusters and select your cluster\n2. Click Edit (Security)\n3. Under Encryption in transit, set Client-broker to TLS only\n4. Save changes\n5. Verify Inter-broker (in-cluster) encryption is enabled; if it is disabled (immutable), create a new cluster with:\n - Encryption in transit: Client-broker = TLS only, Inter-broker encryption = Enabled\n - Migrate clients to the new cluster, then decommission the old one", + "Terraform": "```hcl\n# Terraform: MSK cluster with encryption in transit enforced\nresource \"aws_msk_cluster\" \"\" {\n cluster_name = \"\"\n kafka_version = \"\"\n number_of_broker_nodes = 3\n\n broker_node_group_info {\n instance_type = \"kafka.m5.large\"\n client_subnets = [\n \"subnet-\",\n \"subnet-\",\n ]\n }\n\n encryption_info {\n encryption_in_transit {\n client_broker = \"TLS\" # Critical: forces client-to-broker TLS only\n in_cluster = true # Critical: enables inter-broker encryption\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended to enable encryption in transit for Kafka clusters to protect data confidentiality and integrity.", - "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-working-with-encryption.html" + "Text": "Enforce end-to-end transport protection:\n- Require `client_broker=TLS` for all clients\n- Enable `in_cluster=true` for broker-to-broker links\n\nApply **defense in depth**: restrict network paths, prefer private connectivity, and use strong client authentication with **least privilege** authorization to limit blast radius.", + "Url": "https://hub.prowler.com/check/kafka_cluster_in_transit_encryption_enabled" } }, - "Categories": [], + "Categories": [ + "encryption" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.metadata.json b/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.metadata.json index 8ee6a68187..03b81275e8 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.metadata.json +++ b/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.metadata.json @@ -1,26 +1,35 @@ { "Provider": "aws", "CheckID": "kafka_cluster_is_public", - "CheckTitle": "Kafka Cluster Exposed to the Public", - "CheckType": [], + "CheckTitle": "Kafka cluster is not publicly accessible", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", + "TTPs/Initial Access", + "Effects/Data Exposure" + ], "ServiceName": "kafka", - "SubServiceName": "cluster", - "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster", - "Severity": "high", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "critical", "ResourceType": "AwsMskCluster", - "Description": "The Kafka cluster is publicly accessible, which can expose sensitive data and increase the attack surface.", - "Risk": "Exposing the Kafka cluster to the public can lead to unauthorized access, data breaches, and potential security threats.", - "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/client-access.html", + "Description": "**Amazon MSK clusters** with broker endpoints **exposed to the public Internet**.\n\nServerless clusters are private by default; provisioned clusters are evaluated for their `public access` configuration.", + "Risk": "Public brokers erode **CIA**:\n- **Confidentiality**: unauthorized consumers can read topics\n- **Integrity**: rogue producers inject or alter events\n- **Availability**: floods or scans strain brokers\n\nThis enables metadata enumeration, data exfiltration, stream poisoning, and costly egress.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/public-access-msk-cluster.html", + "https://docs.aws.amazon.com/msk/latest/developerguide/client-access.html" + ], "Remediation": { "Code": { - "CLI": "aws kafka update-connectivity --cluster-arn cluster_arn --current-version kafka_version --connectivity-info '{\"PublicAccess\": {\"Type\": \"DISABLED\"}}'", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/public-access-msk-cluster.html", - "Terraform": "" + "CLI": "aws kafka update-connectivity --cluster-arn --current-version --connectivity-info '{\"PublicAccess\":{\"Type\":\"DISABLED\"}}'", + "NativeIaC": "```yaml\n# CloudFormation: ensure MSK cluster is not publicly accessible\nResources:\n :\n Type: AWS::MSK::Cluster\n Properties:\n ClusterName: \n KafkaVersion: \"2.8.1\"\n NumberOfBrokerNodes: 2\n BrokerNodeGroupInfo:\n ClientSubnets:\n - \n - \n InstanceType: kafka.t3.small\n ConnectivityInfo:\n PublicAccess:\n Type: DISABLED # Critical: disables public access to brokers\n```", + "Other": "1. Open the Amazon MSK console\n2. Select your cluster and go to the Properties tab\n3. In Network settings, click Edit public access\n4. Set Public access to Disabled (Off)\n5. Click Save changes", + "Terraform": "```hcl\n# Terraform: ensure MSK cluster is not publicly accessible\nresource \"aws_msk_cluster\" \"\" {\n cluster_name = \"\"\n kafka_version = \"2.8.1\"\n number_of_broker_nodes = 2\n\n broker_node_group_info {\n client_subnets = [\n \"\",\n \"\",\n ]\n instance_type = \"kafka.t3.small\"\n\n connectivity_info {\n public_access {\n type = \"DISABLED\" # Critical: disables public access to brokers\n }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended to restrict access to the Kafka cluster to only authorized entities. Enable encryption for data in transit and at rest to protect sensitive information.", - "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html" + "Text": "Keep brokers private within the VPC by disabling public access and limiting exposure to trusted networks.\n\nEnforce strong auth (SASL/IAM, SASL/SCRAM, or mTLS), require TLS, and apply Kafka ACLs. Provide access via VPN, bastion, or private networking (peering/Transit Gateway). Apply **least privilege** and monitor broker connections.", + "Url": "https://hub.prowler.com/check/kafka_cluster_is_public" } }, "Categories": [ diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.metadata.json b/prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.metadata.json index 5f995fde9b..976289e320 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.metadata.json +++ b/prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.metadata.json @@ -1,29 +1,40 @@ { "Provider": "aws", "CheckID": "kafka_cluster_mutual_tls_authentication_enabled", - "CheckTitle": "Ensure Mutual TLS Authentication is Enabled for Kafka Cluster", - "CheckType": [], + "CheckTitle": "Kafka cluster has TLS authentication enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "TTPs/Initial Access" + ], "ServiceName": "kafka", - "SubServiceName": "cluster", - "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster", - "Severity": "medium", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "AwsMskCluster", - "Description": "Mutual TLS Authentication ensures that both the client and the server are authenticated, providing an additional layer of security for communication within the Kafka cluster.", - "Risk": "Without Mutual TLS Authentication, the cluster is vulnerable to man-in-the-middle attacks, and unauthorized clients may be able to access the cluster.", - "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html", + "Description": "Amazon MSK clusters enforce **client authentication** on client-to-broker connections. Serverless clusters use TLS-based authentication by default; provisioned clusters must have **mutual TLS (mTLS)** explicitly enabled.", + "Risk": "Without **mTLS**, adversaries can impersonate clients or intercept sessions, compromising **confidentiality** and **integrity**. Unauthorized producers/consumers can read or alter topics, poison data streams, and flood brokers, degrading **availability** and impacting downstream systems.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-mutual-tls-authentication-for-kafka-clients.html", + "https://docs.aws.amazon.com/msk/latest/developerguide/msk-update-security.html", + "https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-mutual-tls-authentication-for-kafka-clients.html", - "Terraform": "" + "CLI": "aws kafka update-security --cluster-arn --current-version --client-authentication 'Tls={CertificateAuthorityArnList=[\"\"]}' --encryption-info 'EncryptionInTransit={ClientBroker=TLS}'", + "NativeIaC": "```yaml\n# CloudFormation: Enable mTLS for an MSK cluster\nResources:\n :\n Type: AWS::MSK::Cluster\n Properties:\n ClusterName: \n KafkaVersion: \n NumberOfBrokerNodes: 2\n BrokerNodeGroupInfo:\n InstanceType: kafka.m5.large\n ClientSubnets:\n - \n - \n ClientAuthentication:\n Tls:\n CertificateAuthorityArnList:\n - # CRITICAL: Enables mutual TLS using this Private CA\n EncryptionInfo:\n EncryptionInTransit:\n ClientBroker: TLS # CRITICAL: Required when enabling mTLS\n```", + "Other": "1. In the AWS Console, go to Amazon MSK > Clusters and select the provisioned cluster (state must be ACTIVE)\n2. Choose Actions > Update security (or Security > Edit)\n3. Under Client authentication, enable TLS and add your AWS Private CA ARN(s)\n4. Under Encryption in transit, set Client-broker to TLS\n5. Save/Update and wait for the update to complete", + "Terraform": "```hcl\n# Terraform: Enable mTLS for an MSK cluster\nresource \"aws_msk_cluster\" \"\" {\n cluster_name = \"\"\n kafka_version = \"\"\n number_of_broker_nodes = 2\n\n broker_node_group_info {\n instance_type = \"kafka.m5.large\"\n client_subnets = [\"\", \"\"]\n }\n\n client_authentication {\n tls {\n certificate_authority_arns = [\"\"] # CRITICAL: Enables mutual TLS with this Private CA\n }\n }\n\n encryption_info {\n encryption_in_transit {\n client_broker = \"TLS\" # CRITICAL: Required when enabling mTLS\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended to enable Mutual TLS Authentication for your Kafka cluster to ensure secure communication between clients and brokers.", - "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-update-security.html" + "Text": "Enable **mutual TLS** for client-broker traffic and disable `PLAINTEXT` listeners. Issue short-lived client certificates from a managed CA with rotation. Apply **least privilege** using Kafka ACLs, restrict network access to trusted sources, and monitor authentication events as part of **defense in depth**.", + "Url": "https://hub.prowler.com/check/kafka_cluster_mutual_tls_authentication_enabled" } }, - "Categories": [], + "Categories": [ + "encryption" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.metadata.json b/prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.metadata.json index bbe59cc8c1..15dd40d92e 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.metadata.json +++ b/prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.metadata.json @@ -1,29 +1,41 @@ { "Provider": "aws", "CheckID": "kafka_cluster_unrestricted_access_disabled", - "CheckTitle": "Ensure Kafka Cluster has unrestricted access disabled", - "CheckType": [], + "CheckTitle": "Kafka cluster requires authentication", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "TTPs/Initial Access/Unauthorized Access", + "Effects/Data Exposure" + ], "ServiceName": "kafka", - "SubServiceName": "cluster", - "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster", - "Severity": "high", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "critical", "ResourceType": "AwsMskCluster", - "Description": "Kafka Clusters should not have unrestricted access enabled. Unrestricted access allows anyone to access the Kafka Cluster without any authentication. It is recommended to disable unrestricted access to prevent unauthorized access to the Kafka Cluster.", - "Risk": "Unrestricted access to Kafka Clusters can lead to unauthorized access to the cluster and its data. It is recommended to restrict access to Kafka Clusters to only authorized entities.", - "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-configure-security.html", + "Description": "Amazon MSK clusters are evaluated for **unauthenticated client access**. Serverless clusters inherently require authentication; provisioned clusters are checked for configurations that allow **unrestricted connections** rather than authenticated clients.", + "Risk": "Allowing **unauthenticated access** lets anyone connect and:\n- Read sensitive topics (confidentiality)\n- Publish or alter data (integrity)\n- Overload brokers and consumers (availability)\n\nThis enables message exfiltration, stream poisoning, and abuse of trusted data pipelines.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/msk/latest/developerguide/msk-configure-security.html", + "https://docs.aws.amazon.com/msk/latest/developerguide/security.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/unrestricted-access-to-brokers.html" + ], "Remediation": { "Code": { - "CLI": "aws kafka update-security --region region_name --cluster-arn cluster_arn --current-version kafka_version_of_cluster --client-authentication 'Unauthenticated={Enabled=false}'", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/unrestricted-access-to-brokers.html", - "Terraform": "" + "CLI": "aws kafka update-security --cluster-arn --current-version --client-authentication 'Unauthenticated={Enabled=false}'", + "NativeIaC": "```yaml\n# CloudFormation: Disable unauthenticated client access for MSK\nResources:\n :\n Type: AWS::MSK::Cluster\n Properties:\n ClusterName: \n KafkaVersion: \n NumberOfBrokerNodes: 2\n BrokerNodeGroupInfo:\n InstanceType: \n ClientSubnets:\n - \n - \n StorageInfo:\n EbsStorageInfo:\n VolumeSize: 1000\n ClientAuthentication:\n Unauthenticated:\n Enabled: false # CRITICAL: Disables unauthenticated client access\n```", + "Other": "1. Open the AWS Console and go to Amazon MSK\n2. Select your cluster and open the Security tab\n3. Click Edit under Client authentication\n4. Turn off/clear Unauthenticated access\n5. Save changes to apply the update", + "Terraform": "```hcl\n# Terraform: Disable unauthenticated client access for MSK\nresource \"aws_msk_cluster\" \"\" {\n cluster_name = \"\"\n kafka_version = \"\"\n number_of_broker_nodes = 2\n\n broker_node_group_info {\n instance_type = \"\"\n client_subnets = [\"\", \"\"]\n ebs_volume_size = 1000\n }\n\n client_authentication {\n unauthenticated = false # CRITICAL: Disables unauthenticated client access\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended to restrict access to Kafka Clusters to only authorized entities. Ensure that the Kafka Cluster's security settings are properly configured to prevent unauthorized access.", - "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/security.html" + "Text": "Disable **unauthenticated access** and require **strong client authentication** (mTLS or IAM/SASL).\n- Enforce **least privilege** with scoped ACLs\n- Restrict network paths via private connectivity and tight security groups\n- Encrypt in transit, monitor access, and rotate credentials regularly", + "Url": "https://hub.prowler.com/check/kafka_cluster_unrestricted_access_disabled" } }, - "Categories": [], + "Categories": [ + "identity-access" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.metadata.json b/prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.metadata.json index 37f9accdd2..249b9b4a37 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.metadata.json +++ b/prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.metadata.json @@ -1,31 +1,40 @@ { "Provider": "aws", "CheckID": "kafka_cluster_uses_latest_version", - "CheckTitle": "MSK cluster should use the latest version.", + "CheckTitle": "MSK cluster uses the latest Kafka version or is serverless with AWS-managed version", "CheckType": [ - "Infrastructure Security" + "Software and Configuration Checks/Patch Management", + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "ServiceName": "kafka", - "SubServiceName": "cluster", - "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster", + "SubServiceName": "", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsMskCluster", - "Description": "Ensure that your Amazon Managed Streaming for Apache Kafka (MSK) cluster is using the latest version to benefit from the latest security features, bug fixes, and performance improvements.", - "Risk": "Running an outdated version of Amazon MSK may expose your cluster to security vulnerabilities, bugs, and performance issues.", - "RelatedUrl": "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-databases.html", + "Description": "**Amazon MSK clusters** are evaluated for use of the latest supported **Apache Kafka version**. Provisioned clusters are compared to the most recent release, while **serverless clusters** are treated as automatically managed for versioning.", + "Risk": "Outdated Kafka enables exploitation of known flaws and weak cryptography, risking data exposure or tampering (**confidentiality/integrity**). Missing fixes increase broker crashes and partition instability (**availability**). After end of support, silent auto-upgrades can trigger unexpected behavior and compatibility issues.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/msk/latest/developerguide/version-support.html#version-upgrades", + "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-databases.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-apache-kafka-latest-security-features.html" + ], "Remediation": { "Code": { - "CLI": "aws kafka update-cluster-configuration --cluster-arn --current-version --target-version ", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-apache-kafka-latest-security-features.html", - "Terraform": "" + "CLI": "aws kafka update-cluster-kafka-version --cluster-arn --current-version --target-kafka-version ", + "NativeIaC": "```yaml\n# CloudFormation: Upgrade MSK cluster to latest Kafka version\nResources:\n :\n Type: AWS::MSK::Cluster\n Properties:\n ClusterName: \n KafkaVersion: # CRITICAL: set to the latest Kafka version to pass the check\n NumberOfBrokerNodes: 2\n BrokerNodeGroupInfo:\n InstanceType: kafka.m5.large\n ClientSubnets:\n - \n - \n```", + "Other": "1. Open the AWS Management Console and go to Amazon MSK\n2. Select your cluster and choose Actions > Update cluster\n3. In Kafka version, select the latest available version\n4. Review and start the upgrade (Update/Start upgrade)\n5. Wait until the operation completes and the cluster status returns to Active", + "Terraform": "```hcl\n# Terraform: Upgrade MSK cluster to latest Kafka version\nresource \"aws_msk_cluster\" \"\" {\n cluster_name = \"\"\n kafka_version = \"\" # CRITICAL: set to the latest Kafka version to pass the check\n number_of_broker_nodes = 2\n\n broker_node_group_info {\n instance_type = \"kafka.m5.large\"\n client_subnets = [\"\", \"\"]\n\n storage_info {\n ebs_storage_info { volume_size = 1000 }\n }\n }\n}\n```" }, "Recommendation": { - "Text": "To upgrade your Amazon MSK cluster to the latest version, use the AWS Management Console, AWS CLI, or SDKs to update the cluster configuration. For more information, refer to the official Amazon MSK documentation.", - "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/version-support.html#version-upgrades" + "Text": "Adopt a controlled upgrade strategy:\n- Track MSK version support and upgrade before end of support\n- Test in staging and schedule maintenance windows\n- Use blue/green or rolling upgrades to reduce downtime\n- Validate client compatibility and security settings\n- Consider serverless MSK if automatic versioning fits your risk model", + "Url": "https://hub.prowler.com/check/kafka_cluster_uses_latest_version" } }, - "Categories": [], + "Categories": [ + "vulnerabilities" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.metadata.json b/prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.metadata.json index 36f40c4c18..012cf01756 100644 --- a/prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.metadata.json +++ b/prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.metadata.json @@ -1,28 +1,33 @@ { "Provider": "aws", "CheckID": "kafka_connector_in_transit_encryption_enabled", - "CheckTitle": "MSK Connect connectors should be encrypted in transit", + "CheckTitle": "MSK Connect connector has encryption in transit enabled", "CheckType": [ - "Software and Configuration Checks/AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "ServiceName": "kafka", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:kafkaconnect:{region}:{account-id}:connector/{connector-name}/{connector-id}", - "Severity": "medium", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "Other", - "Description": "This control checks whether an Amazon MSK Connect connector is encrypted in transit. This control fails if the connector isn't encrypted in transit.", - "Risk": "Data in transit can be intercepted or eavesdropped on by unauthorized users. Ensuring encryption in transit helps to protect sensitive data as it moves between nodes in a network or from your MSK cluster to connected applications.", - "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect.html", + "Description": "**MSK Connect connectors** are evaluated for **in-transit encryption** using `TLS` on client connections to Kafka brokers and connected systems.", + "Risk": "Without **TLS**, data streams can be **intercepted** or **modified** in transit. Attackers on the path can perform **man-in-the-middle**, replay, or message **tampering**, exposing records and secrets. This degrades **confidentiality** and **integrity** and can enable unauthorized access to downstream systems.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect.html", + "https://docs.aws.amazon.com/msk/latest/developerguide/mkc-create-connector-intro.html" + ], "Remediation": { "Code": { - "CLI": "aws kafkaconnect create-connector --encryption-in-transit-config 'EncryptionInTransitType=TLS'", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-3", - "Terraform": "" + "CLI": "", + "NativeIaC": "```yaml\n# CloudFormation: MSK Connect connector with in-transit encryption enabled\nResources:\n :\n Type: AWS::KafkaConnect::Connector\n Properties:\n ConnectorName: \n KafkaCluster:\n ApacheKafkaCluster:\n BootstrapServers: \n Vpc:\n SecurityGroups: []\n Subnets: []\n KafkaClusterClientAuthentication:\n AuthenticationType: NONE\n KafkaClusterEncryptionInTransit:\n EncryptionType: TLS # Critical: enables TLS encryption in transit\n KafkaConnectVersion: \n Plugins:\n - CustomPlugin:\n CustomPluginArn: \n Revision: 1\n Capacity:\n ProvisionedCapacity:\n McuCount: 1\n WorkerCount: 1\n ServiceExecutionRoleArn: \n ConnectorConfiguration:\n connector.class: \n tasks.max: \"1\"\n```", + "Other": "1. In the AWS console, go to Amazon MSK > MSK Connect > Connectors\n2. Select the non-TLS connector and choose Delete (encryption setting can't be changed)\n3. Choose Create connector and select your custom plugin and cluster\n4. In the Security section, set Encryption in transit to TLS (required)\n5. Complete other required fields and Create the connector", + "Terraform": "```hcl\n# Terraform: MSK Connect connector with in-transit encryption enabled\nresource \"aws_mskconnect_connector\" \"\" {\n name = \"\"\n kafkaconnect_version = \"\"\n\n kafka_cluster {\n apache_kafka_cluster {\n bootstrap_servers = \"\"\n vpc {\n security_groups = [\"\"]\n subnets = [\"\"]\n }\n }\n }\n\n kafka_cluster_client_authentication {\n authentication_type = \"NONE\"\n }\n\n kafka_cluster_encryption_in_transit {\n encryption_type = \"TLS\" # Critical: enables TLS encryption in transit\n }\n\n capacity {\n provisioned_capacity {\n mcu_count = 1\n worker_count = 1\n }\n }\n\n service_execution_role_arn = \"\"\n\n connector_configuration = {\n \"connector.class\" = \"\"\n \"tasks.max\" = \"1\"\n }\n\n plugin {\n custom_plugin {\n arn = \"\"\n revision = 1\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Enable encryption in transit for MSK Connect connectors to secure data as it moves across networks.", - "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/mkc-create-connector-intro.html" + "Text": "Require **TLS** for all connector communications and disallow plaintext. Prefer private connectivity, validate certificates, and use modern cipher suites. Pair with **mutual authentication** and **least privilege** roles for defense-in-depth. Regularly review connector configs to avoid non-TLS endpoints.", + "Url": "https://hub.prowler.com/check/kafka_connector_in_transit_encryption_enabled" } }, "Categories": [