Ensure MSK (Kafka) broker instances are not publicly accessible

Security & Compliance

Amazon Managed Streaming for Apache Kafka (MSK) is a fully managed service that makes it easy to build and run applications that use Apache Kafka to process streaming data. To ensure the security of MSK clusters, it is important to ensure that the Kafka broker instances are not publicly accessible. By default, MSK broker instances are launched within a private subnet of a Virtual Private Cloud (VPC), which provides network isolation and improved security. However, if the MSK cluster is not configured properly, it is possible that broker instances may be publicly accessible, which can result in potential security risks such as unauthorized access, data breaches, and resource hijacking. Ensuring that MSK broker instances are not publicly accessible helps to improve the security of MSK clusters and prevent unauthorized access to Kafka data and resources.‍


The following are the remediation steps to ensure that MSK broker instances are not publicly accessible:

  1. Log in to the AWS Management Console and navigate to the Amazon MSK dashboard.
  2. Select the MSK cluster for which you want to check the broker instance accessibility.
  3. Navigate to the "Broker" tab in the MSK cluster details page.
  4. Check the accessibility column of each broker instance.
  5. If any broker instance is accessible publicly, select the broker instance and click the "Actions" button.
  6. In the dropdown menu, select "Modify broker instance."
  7. In the "Modify broker instance" page, scroll down to the "Networking" section.
  8. Change the "Subnet" field to a private subnet that is not publicly accessible.
  9. Scroll down to the bottom of the page and click the "Modify" button.
  10. Repeat steps 5-9 for each publicly accessible broker instance.
  11. After updating the subnet of all publicly accessible broker instances, verify that none of the broker instances are publicly accessible.

By following these steps, you can ensure that MSK broker instances are not publicly accessible, helping to improve the security of Kafka clusters and prevent unauthorized access to Kafka data and resources.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.