Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS

Security & Compliance

Encryption in transit using TLS should be enabled between clients and brokers for MSK (Managed Streaming for Kafka) clusters to ensure secure communication. This helps prevent eavesdropping, tampering, and message forgery between the clients and brokers.


To ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS, follow the below remediation steps:

  1. Open the Amazon MSK console.
  2. In the left navigation pane, choose Clusters.
  3. Select the target MSK cluster.
  4. Choose the Configuration tab.
  5. In the Encryption in transit section, choose Edit.
  6. For the Client broker communication, select the option that enables encryption, such as TLS.
  7. Choose Save.
  8. Verify that the encryption in transit is enabled between clients and brokers by checking the Configuration tab for the target MSK cluster. The Encryption in transit section should show the enabled encryption protocols.
  9. Repeat the above steps for all MSK clusters in your AWS account.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.