Ensure that Amazon Managed Streaming for Kafka (MSK) clusters are using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys) for data encryption, in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements. MSK is a fully managed AWS service that enables you to migrate, build and run real-time streaming applications on Apache Kafka.
To determine the encryption configuration for your AWS MSK clusters, perform the following actions:
Note: Verifying encryption configuration for Amazon MSK clusters using AWS Management Console is not currently supported, the feature can to be configured only through AWS Command Line Interface (CLI).
To determine if encryption at rest is enabled for your Amazon DynamoDB Accelerator (DAX) clusters, perform the following actions:
Remediation / Resolution
Encryption at rest using Customer Master Keys cannot be configured for existing AWS MSK clusters. To encrypt Amazon Managed Streaming for Kafka (MSK) cluster data using your own AWS KMS Customer Master Keys (CMKs), you have to re-create the specified cluster. To create the required AWS KMS CMK and relaunch the required cluster, perform the following actions:Note: Creating and configuring Amazon MSK clusters using the AWS Management Console is not currently supported.
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Use KMS Customer Master Keys for AWS MSK Clusters
Risk level: Medium