MSK.6: MSK clusters should disable unauthenticated access

What does AWS Security Hub MSK.6 check?

MSK.6 fails when a cluster permits unauthenticated access — its client-authentication configuration leaves the unauthenticated option enabled, letting clients connect without presenting any credential.

Why does MSK.6 matter?

Unauthenticated access has outsized blast radius: it makes network reachability the only thing an attacker needs. A peering connection, a new VPN route, or a compromised app host inside the VPC then becomes full read and write access to the event stream, because the cluster never asks for a credential. Requiring IAM, SASL/SCRAM, or mutual TLS restores credential-based access control.

How do I fix MSK.6?

1. Inspect the cluster's client-authentication settings to confirm unauthenticated access is on.
2. Enable one of the supported mechanisms — IAM, SASL/SCRAM, or mutual TLS — and roll clients onto it.
3. Disable unauthenticated access once all producers and consumers authenticate, avoiding a drop of live traffic.
4. Default new clusters to authenticated-only access.

# Attach a JWT authorizer to an open API route, then redeploy the stage to enforce it.
aws apigatewayv2 update-route --api-id a1b2c3d4e5 \
  --route-id r7h8j9 --authorization-type JWT --authorizer-id auth9z8y
aws apigatewayv2 create-deployment --api-id a1b2c3d4e5 --stage-name '$default'

# Disable the unauthenticated listener on an MSK cluster while keeping IAM auth.
ARN=arn:aws:kafka:us-east-1:111122223333:cluster/orders-stream-prod/abc123
VERSION=$(aws kafka describe-cluster-v2 --cluster-arn $ARN \
  --query 'ClusterInfo.CurrentVersion' --output text)
aws kafka update-security --cluster-arn $ARN --current-version $VERSION \
  --client-authentication '{"Sasl":{"Iam":{"Enabled":true}},"Unauthenticated":{"Enabled":false}}'

# Once clients send the new credential, remove the AppSync API key to clear the finding.
aws appsync delete-api-key --api-id abcd1234efgh5678ijkl --id da2-examplekeyid12345