For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-msk-broker-is-publicly-accessible.md. A documentation index is available at /llms.txt.

MSK broker is publicly accessible

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-msk-broker-is-publicly-accessible

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Access Control

Learn More

Description

MSK clusters must not expose broker endpoints to the public internet because public broker endpoints allow any internet actor to connect, increasing the risk of data exfiltration and unauthorized access. In AWS CloudFormation, verify AWS::MSK::Cluster resources. The BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type property must be set to DISABLED or the PublicAccess block omitted. This rule flags resources where PublicAccess.Type is set to SERVICE_PROVIDED_EIPS, which provisions public EIPs for brokers and makes them reachable from the internet.

Secure configuration example:

MyMSKCluster:
  Type: AWS::MSK::Cluster
  Properties:
    BrokerNodeGroupInfo:
      ConnectivityInfo:
        PublicAccess:
          Type: DISABLED

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
  TestCluster0:
    Type: "AWS::MSK::Cluster"
    Properties:
      ClusterName: ClusterWithRequiredProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      BrokerNodeGroupInfo:
        InstanceType: kafka.m5.large
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "MSK Cluster with required properties.",
  "Resources": {
    "TestCluster": {
      "Properties": {
        "BrokerNodeGroupInfo": {
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ],
          "ConnectivityInfo": {
            "PublicAccess": {
              "Type": "DISABLED"
            }
          },
          "InstanceType": "kafka.m5.large"
        },
        "ClusterName": "ClusterWithRequiredProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3
      },
      "Type": "AWS::MSK::Cluster"
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: MSK Cluster with required properties.
Resources:
  TestCluster:
    Type: "AWS::MSK::Cluster"
    Properties:
      ClusterName: ClusterWithRequiredProperties
      KafkaVersion: 2.2.1
      NumberOfBrokerNodes: 3
      BrokerNodeGroupInfo:
        InstanceType: kafka.m5.large
        ClientSubnets:
          - ReplaceWithSubnetId1
          - ReplaceWithSubnetId2
          - ReplaceWithSubnetId3
        ConnectivityInfo:
          PublicAccess:
            Type: SERVICE_PROVIDED_EIPS

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "MSK Cluster with required properties.",
  "Resources": {
    "TestCluster": {
      "Properties": {
        "BrokerNodeGroupInfo": {
          "ClientSubnets": [
            "ReplaceWithSubnetId1",
            "ReplaceWithSubnetId2",
            "ReplaceWithSubnetId3"
          ],
          "ConnectivityInfo": {
            "PublicAccess": {
              "Type": "SERVICE_PROVIDED_EIPS"
            }
          },
          "InstanceType": "kafka.m5.large"
        },
        "ClusterName": "ClusterWithRequiredProperties",
        "KafkaVersion": "2.2.1",
        "NumberOfBrokerNodes": 3
      },
      "Type": "AWS::MSK::Cluster"
    }
  }
}