For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-msk-cluster-encryption-disabled.md.
A documentation index is available at /llms.txt.
MSK clusters must have encryption enabled for data at rest and in transit to prevent unauthorized access, eavesdropping, and tampering of Kafka messages and backups. In AWS CloudFormation, AWS::MSK::Cluster resources must define EncryptionInfo. EncryptionInfo.EncryptionInTransit.ClientBroker must be set to TLS and EncryptionInfo.EncryptionInTransit.InCluster must be set to true. Resources missing EncryptionInfo, with ClientBroker set to other values (for example, PLAINTEXT or TLS_PLAINTEXT), or with InCluster set to false will be flagged as insecure.
Description:MSK Cluster with all propertiesResources:TestCluster:Type:'AWS::MSK::Cluster'Properties:ClusterName:ClusterWithAllPropertiesKafkaVersion:2.2.1NumberOfBrokerNodes:3EnhancedMonitoring:PER_BROKEREncryptionInfo:EncryptionAtRest:DataVolumeKMSKeyId:ReplaceWithKmsKeyArnEncryptionInTransit:ClientBroker:TLSInCluster:trueOpenMonitoring:Prometheus:JmxExporter:EnabledInBroker:"true"NodeExporter:EnabledInBroker:"true"ConfigurationInfo:Arn:ReplaceWithConfigurationArnRevision:1ClientAuthentication:Tls:CertificateAuthorityArnList:- ReplaceWithCAArnTags:Environment:TestOwner:QATeamBrokerNodeGroupInfo:BrokerAZDistribution:DEFAULTInstanceType:kafka.m5.largeSecurityGroups:- ReplaceWithSecurityGroupIdStorageInfo:EBSStorageInfo:VolumeSize:100ClientSubnets:- ReplaceWithSubnetId1- ReplaceWithSubnetId2- ReplaceWithSubnetId3
Description:MSK Cluster with all propertiesResources:TestCluster2:Type:'AWS::MSK::Cluster'Properties:ClusterName:ClusterWithAllPropertiesKafkaVersion:2.2.1NumberOfBrokerNodes:3EnhancedMonitoring:PER_BROKEREncryptionInfo:EncryptionAtRest:DataVolumeKMSKeyId:ReplaceWithKmsKeyArnEncryptionInTransit:ClientBroker:TLSOpenMonitoring:Prometheus:JmxExporter:EnabledInBroker:"true"NodeExporter:EnabledInBroker:"true"ConfigurationInfo:Arn:ReplaceWithConfigurationArnRevision:1ClientAuthentication:Tls:CertificateAuthorityArnList:- ReplaceWithCAArnTags:Environment:TestOwner:QATeamBrokerNodeGroupInfo:BrokerAZDistribution:DEFAULTInstanceType:kafka.m5.largeSecurityGroups:- ReplaceWithSecurityGroupIdStorageInfo:EBSStorageInfo:VolumeSize:100ClientSubnets:- ReplaceWithSubnetId1- ReplaceWithSubnetId2- ReplaceWithSubnetId3
{"Description":"MSK Cluster with all properties","Resources":{"TestCluster3":{"Type":"AWS::MSK::Cluster","Properties":{"ClusterName":"ClusterWithAllProperties","KafkaVersion":"2.2.1","NumberOfBrokerNodes":3,"EnhancedMonitoring":"PER_BROKER","EncryptionInfo":{"EncryptionAtRest":{"DataVolumeKMSKeyId":"ReplaceWithKmsKeyArn"},"EncryptionInTransit":{"ClientBroker":"TLS","InCluster":true}},"OpenMonitoring":{"Prometheus":{"JmxExporter":{"EnabledInBroker":"true"},"NodeExporter":{"EnabledInBroker":"true"}}},"ConfigurationInfo":{"Arn":"ReplaceWithConfigurationArn","Revision":1},"ClientAuthentication":{"Tls":{"CertificateAuthorityArnList":["ReplaceWithCAArn"]}},"Tags":{"Environment":"Test","Owner":"QATeam"},"BrokerNodeGroupInfo":{"BrokerAZDistribution":"DEFAULT","InstanceType":"kafka.m5.large","SecurityGroups":["ReplaceWithSecurityGroupId"],"StorageInfo":{"EBSStorageInfo":{"VolumeSize":100}},"ClientSubnets":["ReplaceWithSubnetId1","ReplaceWithSubnetId2","ReplaceWithSubnetId3"]}}}}}
Non-Compliant Code Examples
Description:MSK Cluster with all propertiesResources:TestCluster5:Type:'AWS::MSK::Cluster'Properties:ClusterName:ClusterWithAllPropertiesKafkaVersion:2.2.1NumberOfBrokerNodes:3EnhancedMonitoring:PER_BROKEROpenMonitoring:Prometheus:JmxExporter:EnabledInBroker:"true"NodeExporter:EnabledInBroker:"true"ConfigurationInfo:Arn:ReplaceWithConfigurationArnRevision:1ClientAuthentication:Tls:CertificateAuthorityArnList:- ReplaceWithCAArnTags:Environment:TestOwner:QATeamBrokerNodeGroupInfo:BrokerAZDistribution:DEFAULTInstanceType:kafka.m5.largeSecurityGroups:- ReplaceWithSecurityGroupIdStorageInfo:EBSStorageInfo:VolumeSize:100ClientSubnets:- ReplaceWithSubnetId1- ReplaceWithSubnetId2- ReplaceWithSubnetId3
Description:MSK Cluster with all propertiesResources:TestCluster6:Type:'AWS::MSK::Cluster'Properties:ClusterName:ClusterWithAllPropertiesKafkaVersion:2.2.1NumberOfBrokerNodes:3EnhancedMonitoring:PER_BROKEREncryptionInfo:EncryptionAtRest:DataVolumeKMSKeyId:ReplaceWithKmsKeyArnEncryptionInTransit:ClientBroker:PLAINTEXTOpenMonitoring:Prometheus:JmxExporter:EnabledInBroker:"true"NodeExporter:EnabledInBroker:"true"ConfigurationInfo:Arn:ReplaceWithConfigurationArnRevision:1ClientAuthentication:Tls:CertificateAuthorityArnList:- ReplaceWithCAArnTags:Environment:TestOwner:QATeamBrokerNodeGroupInfo:BrokerAZDistribution:DEFAULTInstanceType:kafka.m5.largeSecurityGroups:- ReplaceWithSecurityGroupIdStorageInfo:EBSStorageInfo:VolumeSize:100ClientSubnets:- ReplaceWithSubnetId1- ReplaceWithSubnetId2- ReplaceWithSubnetId3
Description:MSK Cluster with all propertiesResources:TestCluster7:Type:'AWS::MSK::Cluster'Properties:ClusterName:ClusterWithAllPropertiesKafkaVersion:2.2.1NumberOfBrokerNodes:3EnhancedMonitoring:PER_BROKEREncryptionInfo:EncryptionAtRest:DataVolumeKMSKeyId:ReplaceWithKmsKeyArnEncryptionInTransit:InCluster:falseOpenMonitoring:Prometheus:JmxExporter:EnabledInBroker:"true"NodeExporter:EnabledInBroker:"true"ConfigurationInfo:Arn:ReplaceWithConfigurationArnRevision:1ClientAuthentication:Tls:CertificateAuthorityArnList:- ReplaceWithCAArnTags:Environment:TestOwner:QATeamBrokerNodeGroupInfo:BrokerAZDistribution:DEFAULTInstanceType:kafka.m5.largeSecurityGroups:- ReplaceWithSecurityGroupIdStorageInfo:EBSStorageInfo:VolumeSize:100ClientSubnets:- ReplaceWithSubnetId1- ReplaceWithSubnetId2- ReplaceWithSubnetId3
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
