For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-ush.md. A documentation index is available at /llms.txt.

MSK clusters should be encrypted at rest

amazon-msk

Description

MSK clusters should have at-rest encryption configured for data volumes. At-rest encryption protects stored data from unauthorized access and supports compliance requirements. Serverless MSK clusters are always encrypted and automatically pass this check.

Remediation

Create a new MSK cluster with at-rest encryption enabled. Existing provisioned clusters cannot have encryption changed after creation. For guidance, refer to Amazon MSK encryption.