Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a service that is fully managed, facilitating the development and execution of applications processing streaming data through Apache Kafka. Control-plane operations, including creation, update, and deletion of clusters, are offered by Amazon MSK. The service permits the utilization of Apache Kafka data-plane operations, encompassing data production and consumption. It operates on open-source versions of Apache Kafka, ensuring compatibility with existing applications, tooling, and plugins from both partners and the Apache Kafka community, eliminating the need for alterations in the application code.
In terms of reliability, Amazon MSK is designed to automatically detect and recover from prevalent cluster failure scenarios, ensuring that producer and consumer applications persist in their data writing and reading activities with minimal disruption. Moreover, it aims to optimize data replication processes by attempting to reuse the storage of replaced brokers, thereby minimizing the volume of data that needs to be replicated by Apache Kafka.
There are 2 types of Kafka clusters that AWS allows to create: Provisioned and Serverless.
From the point of view of an attacker you need to know that:
Serverless cannot be directly public (it can only run in a VPN without any publicly exposed IP). However, Provisioned can be configured to get a public IP (by default it doesn't) and configure the security group to expose the relevant ports.
Serverless only support IAM as authentication method. Provisioned support SASL/SCRAM (password) authentication, IAM authentication, AWS Certificate Manager (ACM) authentication and Unauthenticated access.
Note that it's not possible to expose publicly a Provisioned Kafka if unauthenticated access is enabled
If you are going to have access to the VPC where a Provisioned Kafka is, you could enable unauthorised access, if SASL/SCRAM authentication, read the password from the secret, give some other controlled user IAM permissions (if IAM or serverless used) or persist with certificates.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
