AWS securityhub high security documentation change
Summary
Added three new security controls (MSK.4, MSK.5, MSK.6) addressing public access, logging, and authentication. Updated formatting and documentation links for existing controls.
Security assessment
The additions of MSK.4 (disable public access), MSK.5 (enable logging), and MSK.6 (disable unauthenticated access) directly address security vulnerabilities like unauthorized access, data breaches, and lack of audit capabilities. These controls explicitly mitigate security risks through access restrictions and monitoring enhancements. The severity is high due to the critical nature of public exposure (MSK.4) and authentication bypass risks (MSK.6).
Diff
diff --git a/securityhub/latest/userguide/msk-controls.md b/securityhub/latest/userguide/msk-controls.md index f43fe8396..21dfda562 100644 --- a//securityhub/latest/userguide/msk-controls.md +++ b//securityhub/latest/userguide/msk-controls.md @@ -5 +5 @@ -[MSK.1] MSK clusters should be encrypted in transit among broker nodes[MSK.2] MSK clusters should have enhanced monitoring configured[MSK.3] MSK Connect connectors should be encrypted in transit +[MSK.1] MSK clusters should be encrypted in transit among broker nodes[MSK.2] MSK clusters should have enhanced monitoring configured[MSK.3] MSK Connect connectors should be encrypted in transit[MSK.4] MSK clusters should have public access disabled[MSK.5] MSK connectors should have logging enabled[MSK.6] MSK clusters should disable unauthenticated access @@ -9,3 +9 @@ -These AWS Security Hub controls evaluate the Amazon Managed Streaming for Apache Kafka (Amazon MSK) service and resources. - -These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These AWS Security Hub controls evaluate the Amazon Managed Streaming for Apache Kafka (Amazon MSK) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -23 +21 @@ These controls may not be available in all AWS Regions. For more information, se -**AWS Config rule:** [`msk-in-cluster-node-require-tls`](https://docs.aws.amazon.com/config/latest/developerguide/msk-in-cluster-node-require-tls.html) +**AWS Config rule:** [msk-in-cluster-node-require-tls](https://docs.aws.amazon.com/config/latest/developerguide/msk-in-cluster-node-require-tls.html) @@ -35 +33 @@ HTTPS offers an extra layer of security as it uses TLS to move data and can be u -To update encryption settings for MSK clusters, see [ Updating security settings of a cluster](https://docs.aws.amazon.com/msk/latest/developerguide/msk-update-security.html) in the _Amazon Managed Streaming for Apache Kafka Developer Guide_. +For information about updating the encryption settings for an Amazon MSK cluster, see [Updating security settings of a cluster](https://docs.aws.amazon.com/msk/latest/developerguide/msk-update-security.html) in the _Amazon Managed Streaming for Apache Kafka Developer Guide_. @@ -47 +45 @@ To update encryption settings for MSK clusters, see [ Updating security settings -**AWS Config rule:** [`msk-enhanced-monitoring-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/msk-enhanced-monitoring-enabled.html) +**AWS Config rule:** [msk-enhanced-monitoring-enabled](https://docs.aws.amazon.com/config/latest/developerguide/msk-enhanced-monitoring-enabled.html) @@ -74 +72 @@ To configure enhanced monitoring for an MSK cluster, complete the following step -For more information about monitoring levels, see [ Updating security settings of a cluster](https://docs.aws.amazon.com/msk/latest/developerguide/metrics-details.html) in the _Amazon Managed Streaming for Apache Kafka Developer Guide_. +For more information about monitoring levels, see [Amazon MSK metrics for monitoring Standard brokers with CloudWatch](https://docs.aws.amazon.com/msk/latest/developerguide/metrics-details.html) in the _Amazon Managed Streaming for Apache Kafka Developer Guide_. @@ -99,0 +98,70 @@ You can enable encryption in transit when you create an MSK Connect connector. Y +## [MSK.4] MSK clusters should have public access disabled + +**Category:** Protect > Secure access management > Resource not publicly accessible + +**Severity:** Critical + +**Resource type:** `AWS::MSK::Cluster` + +**AWS Config rule:** [msk-cluster-public-access-disabled](https://docs.aws.amazon.com/config/latest/developerguide/msk-cluster-public-access-disabled.html) + +**Schedule type:** Change triggered + +**Parameters:** None + +This control checks whether public access is disabled for an Amazon MSK cluster. The control fails if public access is enabled for the MSK cluster. + +By default, clients can access an Amazon MSK cluster only if they're in the same VPC as the cluster. All communication between Kafka clients and an MSK cluster are private by default and streaming data doesn't traverse the internet. However, if an MSK cluster is configured to allow public access, anyone on the internet can establish a connection to Apache Kafka brokers that are running within the cluster. This can lead to issues such as unauthorized access, data breaches, or exploitation of vulnerabilities. If you restrict access to a cluster by requiring authentication and authorization measures, you can help protect sensitive information and maintain the integrity of your resources. + +### Remediation + +For information about managing public access to an Amazon MSK cluster, see [ Turn on public access to an MSK Provisioned cluster](https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html) in the _Amazon Managed Streaming for Apache Kafka Developer Guide_. + +## [MSK.5] MSK connectors should have logging enabled + +**Category:** Identify > Logging + +**Severity:** Medium + +**Resource type:** `AWS::KafkaConnect::Connector` + +**AWS Config rule:** [msk-connect-connector-logging-enabled](https://docs.aws.amazon.com/config/latest/developerguide/msk-connect-connector-logging-enabled.html) + +**Schedule type:** Change triggered + +**Parameters:** None + +This control checks whether logging is enabled for an Amazon MSK connector. The control fails if logging is disabled for the MSK connector. + +Amazon MSK connectors integrate external systems and Amazon services with Apache Kafka by continuously copying streaming data from a data source into an Apache Kafka cluster, or continuously copying data from a cluster into a data sink. MSK Connect can write log events that can help debug a connector. When you create a connector, you can specify zero or more of the following log destinations: Amazon CloudWatch Logs, Amazon S3, and Amazon Data Firehose. + +###### Note + +Sensitive configuration values can appear in connector logs if a plugin does not define those values as secret. Kafka Connect treats undefined configuration values the same as any other plaintext value. + +### Remediation + +To enable logging for an existing Amazon MSK connector, you have to re-create the connector with the appropriate logging configuration. For information about configuration options, see [Logging for MSK Connect](https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-logging.html) in the _Amazon Managed Streaming for Apache Kafka Developer Guide_. + +## [MSK.6] MSK clusters should disable unauthenticated access + +**Category:** Protect > Secure access management > Passwordless authentication + +**Severity:** Medium + +**Resource type:** `AWS::MSK::Cluster` + +**AWS Config rule:** [msk-unrestricted-access-check](https://docs.aws.amazon.com/config/latest/developerguide/msk-unrestricted-access-check.html) + +**Schedule type:** Change triggered + +**Parameters:** None + +This control checks whether unauthenticated access is enabled for an Amazon MSK cluster. The control fails if unauthenticated access is enabled for the MSK cluster. + +Amazon MSK supports client authentication and authorization mechanisms to control access to a cluster. These mechanisms verify the identity of clients connecting to the cluster and determine which actions clients can perform. An MSK cluster can be configured to allow unauthenticated access, which allows any client with network connectivity to publish and subscribe to Kafka topics without providing credentials. Running an MSK cluster without requiring authentication violates the principle of least privilege and can expose the cluster to unauthorized access. It can allow any client to access, modify, or delete data in Kafka topics, potentially resulting in data breaches, unauthorized data modifications, or service disruptions. We recommend enabling authentication mechanisms such as IAM authentication, SASL/SCRAM, or mutual TLS to ensure proper access control and maintain security compliance. + +### Remediation + +For information about changing the authentication settings for an Amazon MSK cluster, see the following sections of the _Amazon Managed Streaming for Apache Kafka Developer Guide_ : [Update security settings of an Amazon MSK cluster](https://docs.aws.amazon.com/msk/latest/developerguide/msk-update-security.html) and [Authentication and authorization for Apache Kafka APIs](https://docs.aws.amazon.com/msk/latest/developerguide/kafka_apis_iam.html). +