--- title: MSK broker is publicly accessible description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > MSK broker is publicly accessible --- # MSK broker is publicly accessible {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-msk-broker-is-publicly-accessible` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-msk-cluster-publicaccess.html) ### Description{% #description %} MSK clusters must not expose broker endpoints to the public internet because public broker endpoints allow any internet actor to connect, increasing the risk of data exfiltration and unauthorized access. In AWS CloudFormation, verify `AWS::MSK::Cluster` resources. The `BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type` property must be set to `DISABLED` or the `PublicAccess` block omitted. This rule flags resources where `PublicAccess.Type` is set to `SERVICE_PROVIDED_EIPS`, which provisions public EIPs for brokers and makes them reachable from the internet. Secure configuration example: ```yaml MyMSKCluster: Type: AWS::MSK::Cluster Properties: BrokerNodeGroupInfo: ConnectivityInfo: PublicAccess: Type: DISABLED ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: MSK Cluster with required properties. Resources: TestCluster0: Type: "AWS::MSK::Cluster" Properties: ClusterName: ClusterWithRequiredProperties KafkaVersion: 2.2.1 NumberOfBrokerNodes: 3 BrokerNodeGroupInfo: InstanceType: kafka.m5.large ClientSubnets: - ReplaceWithSubnetId1 - ReplaceWithSubnetId2 - ReplaceWithSubnetId3 ``` ```json { "AWSTemplateFormatVersion": "2010-09-09", "Description": "MSK Cluster with required properties.", "Resources": { "TestCluster": { "Properties": { "BrokerNodeGroupInfo": { "ClientSubnets": [ "ReplaceWithSubnetId1", "ReplaceWithSubnetId2", "ReplaceWithSubnetId3" ], "ConnectivityInfo": { "PublicAccess": { "Type": "DISABLED" } }, "InstanceType": "kafka.m5.large" }, "ClusterName": "ClusterWithRequiredProperties", "KafkaVersion": "2.2.1", "NumberOfBrokerNodes": 3 }, "Type": "AWS::MSK::Cluster" } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: MSK Cluster with required properties. Resources: TestCluster: Type: "AWS::MSK::Cluster" Properties: ClusterName: ClusterWithRequiredProperties KafkaVersion: 2.2.1 NumberOfBrokerNodes: 3 BrokerNodeGroupInfo: InstanceType: kafka.m5.large ClientSubnets: - ReplaceWithSubnetId1 - ReplaceWithSubnetId2 - ReplaceWithSubnetId3 ConnectivityInfo: PublicAccess: Type: SERVICE_PROVIDED_EIPS ``` ```json { "AWSTemplateFormatVersion": "2010-09-09", "Description": "MSK Cluster with required properties.", "Resources": { "TestCluster": { "Properties": { "BrokerNodeGroupInfo": { "ClientSubnets": [ "ReplaceWithSubnetId1", "ReplaceWithSubnetId2", "ReplaceWithSubnetId3" ], "ConnectivityInfo": { "PublicAccess": { "Type": "SERVICE_PROVIDED_EIPS" } }, "InstanceType": "kafka.m5.large" }, "ClusterName": "ClusterWithRequiredProperties", "KafkaVersion": "2.2.1", "NumberOfBrokerNodes": 3 }, "Type": "AWS::MSK::Cluster" } } } ```