Inspect each connector's configuration to confirm whether encryption in transit is enabled. Recreate any non-compliant connector with TLS enabled, since the setting cannot be changed after creation. Repoint the workload at the new connector and retire the old one. Add a preventive guardrail so new connectors are created with encryption in transit on.

Compliance Medium severity

AWS Security Hub · MSK

MSK.3: MSK Connect connectors encrypted in transit

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub MSK.3 check?

MSK.3 fails when an MSK Connect connector is not encrypted in transit — its connector configuration does not have TLS enabled for the traffic between the connector and the cluster.

Why does MSK.3 matter?

MSK Connect connectors move records between the cluster and external systems. Without encryption in transit, that traffic travels in plaintext, exposing the event data to anyone observing the network path. Because the setting is fixed at connector creation, a connector shipped without TLS is permanently non-compliant until it is rebuilt.

How do I fix MSK.3?

Inspect each connector's configuration to confirm whether encryption in transit is enabled.
Recreate any non-compliant connector with TLS enabled, since the setting cannot be changed after creation.
Repoint the workload at the new connector and retire the old one.
Add a preventive guardrail so new connectors are created with encryption in transit on.

Remediation script · bash

# Find the highest-impact plaintext-permitting stores across engines.
aws rds describe-db-instances \
  --query 'DBInstances[].DBInstanceIdentifier' --output text
aws elasticache describe-replication-groups \
  --query 'ReplicationGroups[?TransitEncryptionEnabled==`false`].ReplicationGroupId' \
  --output text

# RDS for PostgreSQL: require TLS via rds.force_ssl (static -> needs a reboot).
PG=$(aws rds describe-db-instances --db-instance-identifier prod-orders-pg \
  --query 'DBInstances[].DBParameterGroups[].DBParameterGroupName' --output text)
aws rds modify-db-parameter-group --db-parameter-group-name "$PG" \
  --parameters 'ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot'
aws rds reboot-db-instance --db-instance-identifier prod-orders-pg

# Redshift: require_ssl on a custom cluster parameter group, then reboot.
aws redshift modify-cluster-parameter-group --parameter-group-name analytics-tls \
  --parameters ParameterName=require_ssl,ParameterValue=true
aws redshift reboot-cluster --cluster-identifier analytics-prod

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on database and cache connections.

Is MSK.3 a false positive?

Unlike most settings that you flip and re-apply, connector encryption in transit is immutable — a connector created without TLS stays FAILED and the only fix is to tear it down and recreate it.

Full lesson Enforce TLS on database and cache connections Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for MSK controls ↗ Check your own account for MSK.3 →

Part of the learning path Encrypt everything

MSK.1 MSK should encrypt in transit among broker nodes
MSK.4 An MSK cluster allows public access
MSK.5 MSK connectors should have logging
MSK.6 MSK clusters should disable unauthenticated access