---
title: MSK clusters should not be publicly accessible and should use private subnets
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > MSK clusters should not be publicly
  accessible and should use private subnets
---

# MSK clusters should not be publicly accessible and should use private subnets
 
## Description{% #description %}

MSK clusters should not be publicly accessible and should be deployed in private subnets. Keeping brokers in private subnets reduces exposure to the public internet and limits access to approved network paths.

## Remediation{% #remediation %}

Disable public access for brokers and place the cluster in subnets that do not assign public IPs on launch. For guidance, refer to [Configuring public access for a cluster](https://docs.aws.amazon.com/msk/latest/developerguide/msk-public-access.html).