AWS - MSK Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Amazon MSK

Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a service that is fully managed, facilitating the development and execution of applications processing streaming data through Apache Kafka. Control-plane operations, including creation, update, and deletion of clusters, are offered by Amazon MSK. The service permits the utilization of Apache Kafka data-plane operations, encompassing data production and consumption. It operates on open-source versions of Apache Kafka, ensuring compatibility with existing applications, tooling, and plugins from both partners and the Apache Kafka community, eliminating the need for alterations in the application code.

In terms of reliability, Amazon MSK is designed to automatically detect and recover from prevalent cluster failure scenarios, ensuring that producer and consumer applications persist in their data writing and reading activities with minimal disruption. Moreover, it aims to optimize data replication processes by attempting to reuse the storage of replaced brokers, thereby minimizing the volume of data that needs to be replicated by Apache Kafka.


There are 2 types of Kafka clusters that AWS allows to create: Provisioned and Serverless.

From the point of view of an attacker you need to know that:

  • Serverless cannot be directly public (it can only run in a VPN without any publicly exposed IP). However, Provisioned can be configured to get a public IP (by default it doesn't) and configure the security group to expose the relevant ports.

  • Serverless only support IAM as authentication method. Provisioned support SASL/SCRAM (password) authentication, IAM authentication, AWS Certificate Manager (ACM) authentication and Unauthenticated access.

    • Note that it's not possible to expose publicly a Provisioned Kafka if unauthenticated access is enabled


#Get clusters
aws kafka list-clusters
aws kafka list-clusters-v2

# Check the supported authentication
aws kafka list-clusters |  jq -r ".ClusterInfoList[].ClientAuthentication"

# Get Zookeeper endpoints
aws kafka list-clusters | jq -r ".ClusterInfoList[].ZookeeperConnectString, .ClusterInfoList[].ZookeeperConnectStringTls"

# Get nodes and node enspoints
aws kafka kafka list-nodes --cluster-arn <cluster-arn>
aws kafka kafka list-nodes --cluster-arn <cluster-arn> | jq -r ".NodeInfoList[].BrokerNodeInfo.Endpoints" # Get endpoints

# Get used kafka configs
aws kafka list-configurations #Get Kafka config file
aws kafka describe-configuration --arn <config-arn> # Get version of config
aws kafka describe-configuration-revision --arn <config-arn> --revision <version> # Get content of config version

# If using SCRAN authentication, get used AWS secret name (not secret value)
aws kafka list-scram-secrets --cluster-arn <cluster-arn>

Kafka IAM Access (in serverless)

# Guide from
# Download Kafka
tar -xzf kafka_2.12-2.8.1.tgz

# In kafka_2.12-2.8.1/libs download the MSK IAM JAR file. 
cd kafka_2.12-2.8.1/libs

# Create file in kafka_2.12-2.8.1/bin
sasl.mechanism=AWS_MSK_IAM required;

# Export endpoints address
## Make sure you will be able to access the port 9098 from the EC2 instance (check VPS, subnets and SG)

# Create a topic called msk-serverless-tutorial
kafka_2.12-2.8.1/bin/ --bootstrap-server $BS --command-config --create --topic msk-serverless-tutorial --partitions 6

# Send message of every new line
kafka_2.12-2.8.1/bin/ --broker-list $BS --producer.config --topic msk-serverless-tutorial

# Read messages
kafka_2.12-2.8.1/bin/ --bootstrap-server $BS --consumer.config --topic msk-serverless-tutorial --from-beginning


pageAWS - MSK Privesc

Unauthenticated Access

pageAWS - MSK Unauthenticated Enum


If you are going to have access to the VPC where a Provisioned Kafka is, you could enable unauthorised access, if SASL/SCRAM authentication, read the password from the secret, give some other controlled user IAM permissions (if IAM or serverless used) or persist with certificates.


Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated