MSK Cluster Encryption In Transit Should Be Enabled
More Info:
This rule checks if an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. It marks the rule as NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using the AWS console, follow these steps:
-
Sign in to the AWS Management Console:
- Go to the AWS Management Console at https://aws.amazon.com/console/.
-
Navigate to the Amazon RDS Console:
- Click on the “Services” dropdown menu at the top left corner.
- Under the “Database” section, click on “RDS”.
-
Select the RDS Instance:
- In the Amazon RDS dashboard, select the RDS instance that you want to enable encryption in transit for.
-
Modify the RDS Instance:
- Click on the checkbox next to the RDS instance you selected.
- Click on the “Modify” button at the top.
-
Enable Encryption in Transit:
- Scroll down to the “Network & Security” section.
- Under the “Additional configuration” heading, look for the “Encryption” option.
- Select the option for “Encryption in transit”.
- Choose the appropriate encryption type (SSL/TLS) from the dropdown menu.
-
Save the Changes:
- Scroll to the bottom of the page and click on the “Continue” button.
- Review the changes you are about to make.
- Click on the “Modify DB Instance” button to apply the changes.
-
Monitor the Modification Progress:
- Wait for the modification process to complete. This may take a few minutes.
- You can monitor the progress in the RDS dashboard or through the “Modify” option.
-
Verify Encryption in Transit:
- Once the modification is complete, verify that encryption in transit is enabled for the RDS instance.
- You can check the encryption status in the RDS console or by connecting to the RDS instance and checking the encryption settings.
Using CLI
Using CLI
To remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using AWS CLI, you can follow these steps:Make sure to replace Replace Replace
- Open the AWS CLI and run the following command to enable encryption in transit for the MSK cluster:
your-db-cluster-name with the actual name of your RDS DB cluster.- Wait for the modification to be completed. You can check the status of the modification by running the following command:
your-db-cluster-name with the actual name of your RDS DB cluster.- Once the modification is completed, verify that encryption in transit is enabled for the MSK cluster by running the following command:
your-db-cluster-name with the actual name of your RDS DB cluster.By following these steps, you can successfully remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using AWS CLI.Using Python
Using Python
To remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using Python, you can follow these steps:By following these steps, you can remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using Python.
- Import the necessary libraries:
- Initialize the AWS RDS client:
- Get a list of all RDS instances:
- Iterate through each RDS instance and enable encryption in transit for MSK Cluster:
- Verify that encryption in transit for MSK Cluster is enabled by checking the DB instance details: