MSK.4: An MSK cluster allows public access

What does AWS Security Hub MSK.4 check?

MSK.4 fails when an Amazon MSK cluster has public access enabled — its connectivity is set to SERVICE_PROVIDED_EIPS rather than DISABLED. That exposes the brokers to the public internet.

Why does MSK.4 matter?

A publicly reachable Kafka cluster puts your event stream — and whatever flows through it — directly in front of internet-based attackers probing for weak authentication. Even with auth required, public exposure removes the network barrier that should be the first line of defence. Keeping connectivity private means an attacker needs presence inside the VPC before they can reach a broker.

How do I fix MSK.4?

1. Run describe-cluster to confirm whether connectivity is SERVICE_PROVIDED_EIPS.
2. Use update-connectivity to set public access to DISABLED.
3. Confirm the operation completed with describe-cluster-operation.
4. Keep the layered controls — authentication, encryption in transit — in place as defence in depth.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'