AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
MSK Cluster Encryption In Transit Should Be Enabled
More Info:
This rule checks if an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. It marks the rule as NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using the AWS console, follow these steps:
-
Sign in to the AWS Management Console:
- Go to the AWS Management Console at https://aws.amazon.com/console/.
-
Navigate to the Amazon RDS Console:
- Click on the “Services” dropdown menu at the top left corner.
- Under the “Database” section, click on “RDS”.
-
Select the RDS Instance:
- In the Amazon RDS dashboard, select the RDS instance that you want to enable encryption in transit for.
-
Modify the RDS Instance:
- Click on the checkbox next to the RDS instance you selected.
- Click on the “Modify” button at the top.
-
Enable Encryption in Transit:
- Scroll down to the “Network & Security” section.
- Under the “Additional configuration” heading, look for the “Encryption” option.
- Select the option for “Encryption in transit”.
- Choose the appropriate encryption type (SSL/TLS) from the dropdown menu.
-
Save the Changes:
- Scroll to the bottom of the page and click on the “Continue” button.
- Review the changes you are about to make.
- Click on the “Modify DB Instance” button to apply the changes.
-
Monitor the Modification Progress:
- Wait for the modification process to complete. This may take a few minutes.
- You can monitor the progress in the RDS dashboard or through the “Modify” option.
-
Verify Encryption in Transit:
- Once the modification is complete, verify that encryption in transit is enabled for the RDS instance.
- You can check the encryption status in the RDS console or by connecting to the RDS instance and checking the encryption settings.
By following these steps, you can successfully remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using the AWS console.
To remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using AWS CLI, you can follow these steps:
- Open the AWS CLI and run the following command to enable encryption in transit for the MSK cluster:
aws rds modify-db-cluster --db-cluster-identifier your-db-cluster-name --enable-http-endpoint --apply-immediately
Make sure to replace your-db-cluster-name with the actual name of your RDS DB cluster.
- Wait for the modification to be completed. You can check the status of the modification by running the following command:
aws rds describe-db-clusters --db-cluster-identifier your-db-cluster-name --query 'DBClusters[0].Endpoint'
Replace your-db-cluster-name with the actual name of your RDS DB cluster.
- Once the modification is completed, verify that encryption in transit is enabled for the MSK cluster by running the following command:
aws rds describe-db-clusters --db-cluster-identifier your-db-cluster-name --query 'DBClusters[0].Endpoint'
Replace your-db-cluster-name with the actual name of your RDS DB cluster.
By following these steps, you can successfully remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using AWS CLI.
To remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
- Initialize the AWS RDS client:
rds_client = boto3.client('rds')
- Get a list of all RDS instances:
response = rds_client.describe_db_instances()
- Iterate through each RDS instance and enable encryption in transit for MSK Cluster:
for db_instance in response['DBInstances']:
db_instance_identifier = db_instance['DBInstanceIdentifier']
# Modify the DB instance to enable encryption in transit for MSK Cluster
rds_client.modify_db_instance(
DBInstanceIdentifier=db_instance_identifier,
MSKClusterEncryption={'Enabled': True}
)
- Verify that encryption in transit for MSK Cluster is enabled by checking the DB instance details:
response = rds_client.describe_db_instances(DBInstanceIdentifier=db_instance_identifier)
msk_cluster_encryption = response['DBInstances'][0]['MSKClusterEncryption']
if msk_cluster_encryption['Status'] == 'enabled':
print(f"Encryption in transit for MSK Cluster is successfully enabled for RDS instance: {db_instance_identifier}")
else:
print(f"Failed to enable encryption in transit for MSK Cluster for RDS instance: {db_instance_identifier}")
By following these steps, you can remediate the misconfiguration of MSK Cluster Encryption In Transit not being enabled for AWS RDS using Python.