--- title: MSK broker is publicly accessible description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > MSK broker is publicly accessible --- # MSK broker is publicly accessible {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-msk-broker-is-publicly-accessible` **Provider:** AWS **Platform:** Terraform **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#public_access) ### Description{% #description %} Amazon MSK (Managed Streaming for Kafka) clusters with public accessibility enabled allow connections from the internet, which significantly expands the attack surface and increases the risk of unauthorized access to sensitive data streams. When MSK brokers are publicly accessible, they can be targeted by malicious actors who may attempt to intercept data, perform denial-of-service attacks, or exploit vulnerabilities to gain deeper access to your infrastructure. To secure your MSK cluster, configure the `public_access` type as `DISABLED` rather than `SERVICE_PROVIDED_EIPS`, as shown below: ```hcl broker_node_group_info { connectivity_info { public_access { type = "DISABLED" } } } ``` For additional security, implement network ACLs, security groups, and private VPC endpoints to control access to your MSK resources. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_msk_cluster" "negative1" { cluster_name = "example" kafka_version = "2.7.1" number_of_broker_nodes = 3 broker_node_group_info { connectivity_info { public_access { type = "DISABLED" } } instance_type = "kafka.m5.4xlarge" client_subnets = [ aws_subnet.subnet_az1.id, aws_subnet.subnet_az2.id, aws_subnet.subnet_az3.id, ] storage_info { ebs_storage_info { provisioned_throughput { enabled = true volume_throughput = 250 } volume_size = 1000 } } security_groups = [aws_security_group.sg.id] } } ``` ```terraform resource "aws_msk_cluster" "negative2" { cluster_name = "example" kafka_version = "2.7.1" number_of_broker_nodes = 3 broker_node_group_info { instance_type = "kafka.m5.4xlarge" client_subnets = [ aws_subnet.subnet_az1.id, aws_subnet.subnet_az2.id, aws_subnet.subnet_az3.id, ] storage_info { ebs_storage_info { provisioned_throughput { enabled = true volume_throughput = 250 } volume_size = 1000 } } security_groups = [aws_security_group.sg.id] } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_msk_cluster" "positive1" { cluster_name = "example" kafka_version = "2.7.1" number_of_broker_nodes = 3 broker_node_group_info { connectivity_info { public_access { type = "SERVICE_PROVIDED_EIPS" } } instance_type = "kafka.m5.4xlarge" client_subnets = [ aws_subnet.subnet_az1.id, aws_subnet.subnet_az2.id, aws_subnet.subnet_az3.id, ] storage_info { ebs_storage_info { provisioned_throughput { enabled = true volume_throughput = 250 } volume_size = 1000 } } security_groups = [aws_security_group.sg.id] } } ```