MSK Connect connectors should be encrypted in transit¶

This control checks whether an Amazon MSK Connect connector is encrypted in transit. This control fails if the connector isn't encrypted in transit.

How to fix¶

Attribute kafka_cluster_encryption_in_transit[0].encryption_type of aws_mskconnect_connector must be "TLS".

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_mskconnect_connector.

resource "aws_mskconnect_connector" "this" {
  capacity {
    provisioned_capacity {
      mcu_count    = 1
      worker_count = 1
    }
  }
  connector_configuration = { "topic" = "pofix-example-topic" }

  kafka_cluster {
    apache_kafka_cluster {
      bootstrap_servers = "b-1.example.kafka.us-east-1.amazonaws.com:9092"

      vpc {
        security_groups = ["sg-12345678"]
        subnets         = ["subnet-12345678"]
      }
    }
  }

  kafka_cluster_client_authentication {
    authentication_type = "NONE"
  }

  kafkaconnect_version = "2.7.1"
  name                 = "pofix-example-connector"

  plugin {
    custom_plugin {
      arn      = "arn:aws:kafkaconnect:us-east-1:123456789012:custom-plugin/example/1"
      revision = 1
    }
  }

  service_execution_role_arn = "arn:aws:iam::123456789012:role/mskconnect-role"

  kafka_cluster_encryption_in_transit {
    encryption_type = "TLS"
  }
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: mskconnect_connector_encryption_in_transit_with_tls_enabled

• Powerpipe Control: aws_compliance.control.mskconnect_connector_encryption_in_transit_with_tls_enabled