MSK cluster uses the latest Kafka version or is serverless with AWS-managed version
kafka_cluster_uses_latest_version
Amazon MSK clusters are evaluated for use of the latest supported Apache Kafka version. Provisioned clusters are compared to the most recent release, while serverless clusters are treated as automatically managed for versioning.
Risk
Outdated Kafka enables exploitation of known flaws and weak cryptography, risking data exposure or tampering (confidentiality/integrity). Missing fixes increase broker crashes and partition instability (availability). After end of support, silent auto-upgrades can trigger unexpected behavior and compatibility issues.
prowler aws --checks kafka_cluster_uses_latest_version
Recommendation
Adopt a controlled upgrade strategy:
- Track MSK version support and upgrade before end of support
- Test in staging and schedule maintenance windows
- Use blue/green or rolling upgrades to reduce downtime
- Validate client compatibility and security settings
- Consider serverless MSK if automatic versioning fits your risk model
Remediation
aws kafka update-cluster-kafka-version --cluster-arn <example_resource_id> --current-version <current_version> --target-kafka-version <latest_version>
- Open the AWS Management Console and go to Amazon MSK
- Select your cluster and choose Actions > Update cluster
- In Kafka version, select the latest available version
- Review and start the upgrade (Update/Start upgrade)
- Wait until the operation completes and the cluster status returns to Active
Source Code
Resource Type
AwsMskCluster
References
- https://docs.aws.amazon.com/msk/latest/developerguide/version-support.html#version-upgrades
- https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-databases.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/MSK/enable-apache-kafka-latest-security-features.html