For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-465.md. A documentation index is available at /llms.txt.

MSK clusters should be encrypted in transit among broker nodes

amazon-msk

Description

MSK clusters should encrypt data in transit between broker nodes to prevent eavesdropping on inter-broker communication. Serverless clusters enforce TLS by default; provisioned clusters must have the in-cluster encryption setting enabled.

Remediation

Enable in-cluster encryption when creating or updating the MSK cluster configuration. For guidance, refer to Amazon MSK encryption in transit.