EC2 instance does not allow ingress from the Internet to TCP port 9092 (Kafka)
ec2_instance_port_kafka_exposed_to_internet
EC2 instances with security group rules that allow inbound TCP 9092 (Kafka) from the Internet are reported. The evaluation inspects ingress rules to detect broad sources (for example 0.0.0.0/0 or ::/0) that expose Kafka brokers.
Risk
Public Kafka access undermines CIA: adversaries can read topics and metadata (confidentiality), publish or alter events (integrity), and overwhelm brokers (availability). Exposure also eases reconnaissance and lateral movement from the broker host.
prowler aws --checks ec2_instance_port_kafka_exposed_to_internet
prowler aws --checks ec2_instance_port_kafka_exposed_to_internet --fixer
Recommendation
Apply least privilege: restrict TCP 9092 to trusted networks, not 0.0.0.0/0 or ::/0. Keep brokers in private subnets and use private connectivity (VPN/peering). Enforce TLS and authenticated clients with granular ACLs, and add defense in depth via NACLs or proxies.
Remediation
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 9092 --cidr 0.0.0.0/0
- In the AWS Console, go to EC2 > Security Groups
- Select the security group attached to the instance
- Open the Inbound rules tab and click Edit inbound rules
- Remove the rule allowing TCP 9092 from 0.0.0.0/0 or ::/0 (Internet)
- If needed, add TCP 9092 with a restricted source (e.g., your VPC CIDR)
- Click Save rules
Source Code
Resource Type
AwsEc2Instance