AWS022.md

Pattern: A MSK cluster allows unencrypted data in transit

Issue: -

Description

Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.

Resolution: Enable in transit encryption.

Examples

Example of incorrect code:

resource "aws_msk_cluster" "bad_example" {
	encryption_info {
		encryption_in_transit {
			client_broker = "TLS_PLAINTEXT"
			in_cluster = true
		}
	}
}

Example of correct code:

resource "aws_msk_cluster" "good_example" {
	encryption_info {
		encryption_in_transit {
			client_broker = "TLS"
			in_cluster = true
		}
	}
}