Kafka cluster has TLS authentication enabled
kafka_cluster_mutual_tls_authentication_enabled
Amazon MSK clusters enforce client authentication on client-to-broker connections. Serverless clusters use TLS-based authentication by default; provisioned clusters must have mutual TLS (mTLS) explicitly enabled.
Risk
Without mTLS, adversaries can impersonate clients or intercept sessions, compromising confidentiality and integrity. Unauthorized producers/consumers can read or alter topics, poison data streams, and flood brokers, degrading availability and impacting downstream systems.
prowler aws --checks kafka_cluster_mutual_tls_authentication_enabled
Recommendation
Enable mutual TLS for client-broker traffic and disable PLAINTEXT listeners. Issue short-lived client certificates from a managed CA with rotation. Apply least privilege using Kafka ACLs, restrict network access to trusted sources, and monitor authentication events as part of defense in depth.
Remediation
aws kafka update-security --cluster-arn <CLUSTER_ARN> --current-version <CURRENT_VERSION> --client-authentication 'Tls={CertificateAuthorityArnList=["<ACM_PCA_ARN>"]}' --encryption-info 'EncryptionInTransit={ClientBroker=TLS}'
- In the AWS Console, go to Amazon MSK > Clusters and select the provisioned cluster (state must be ACTIVE)
- Choose Actions > Update security (or Security > Edit)
- Under Client authentication, enable TLS and add your AWS Private CA ARN(s)
- Under Encryption in transit, set Client-broker to TLS
- Save/Update and wait for the update to complete
Source Code
Resource Type
AwsMskCluster
References