Aws Client Broker Tls Disabled
Description
This detector identifies Amazon MSK (Managed Streaming for Kafka) clusters that have TLS encryption disabled between clients and brokers. When client-broker TLS is disabled (set to PLAINTEXT), data transmitted between Kafka clients and brokers is not encrypted, potentially exposing sensitive data in transit to unauthorized access or tampering.
Detection Strategy
• Checks all MSK clusters in the specified AWS region (excluding serverless clusters)
• Reviews the encryption configuration for each cluster, specifically examining the ClientBroker setting in EncryptionInTransit
• Reports a vulnerability if the ClientBroker encryption setting is configured as 'PLAINTEXT' instead of using TLS encryption
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.