Kafka cluster requires authentication
kafka_cluster_unrestricted_access_disabled
Amazon MSK clusters are evaluated for unauthenticated client access. Serverless clusters inherently require authentication; provisioned clusters are checked for configurations that allow unrestricted connections rather than authenticated clients.
Risk
Allowing unauthenticated access lets anyone connect and:
- Read sensitive topics (confidentiality)
- Publish or alter data (integrity)
- Overload brokers and consumers (availability)
This enables message exfiltration, stream poisoning, and abuse of trusted data pipelines.
prowler aws --checks kafka_cluster_unrestricted_access_disabled
Recommendation
Disable unauthenticated access and require strong client authentication (mTLS or IAM/SASL).
- Enforce least privilege with scoped ACLs
- Restrict network paths via private connectivity and tight security groups
- Encrypt in transit, monitor access, and rotate credentials regularly
Remediation
aws kafka update-security --cluster-arn <example_resource_arn> --current-version <example_current_version> --client-authentication 'Unauthenticated={Enabled=false}'
- Open the AWS Console and go to Amazon MSK
- Select your cluster and open the Security tab
- Click Edit under Client authentication
- Turn off/clear Unauthenticated access
- Save changes to apply the update
Source Code
Resource Type
AwsMskCluster