Ensure No EC2 Instances Allow Ingress from the Internet to TCP Port 9092 (Kafka)

Overview

This check identifies EC2 instances with security group rules that allow inbound traffic on TCP port 9092 (Kafka) from the internet. Kafka is a distributed streaming platform used to build real-time data pipelines. Exposing Kafka directly to the internet is a critical security risk.

Risk

When Kafka port 9092 is exposed to the internet (0.0.0.0/0 or ::/0), attackers can:

• Read your data: Access Kafka topics and broker metadata without authentication
• Modify your data: Publish fake events or alter existing data streams
• Disrupt your service: Launch denial-of-service attacks against your brokers
• Move laterally: Use compromised brokers as a foothold to attack other systems

This is rated as critical severity because it can lead to data leakage, corruption, and loss.

Remediation Steps

Prerequisites

You need permission to modify EC2 security groups in your AWS account. Typically, you need the ec2:RevokeSecurityGroupIngress and ec2:AuthorizeSecurityGroupIngress permissions.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSecurityGroups",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:AuthorizeSecurityGroupIngress"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Console and go to EC2
2. In the left navigation, click Security Groups (under Network & Security)
3. Find the security group attached to the affected EC2 instance
4. Select the security group and click the Inbound rules tab
5. Look for rules with:
   • Port range: 9092
   • Source: 0.0.0.0/0 or ::/0
6. Click Edit inbound rules
7. Delete the rule that allows port 9092 from 0.0.0.0/0 or ::/0
8. Add a new rule (if Kafka access is still needed):
   • Type: Custom TCP
   • Port range: 9092
   • Source: Your VPC CIDR (e.g., 10.0.0.0/8) or specific IP addresses
   • Description: "Kafka access from trusted network"
9. Click Save rules

AWS CLI (optional)

Step 1: Identify the problematic security group

aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=9092" \
            "Name=ip-permission.to-port,Values=9092" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].[GroupId,GroupName]" \
  --output table

Step 2: Remove the internet-exposed rule

Replace <SECURITY_GROUP_ID> with your security group ID:

# Remove IPv4 internet access
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 9092 \
  --cidr 0.0.0.0/0

# Remove IPv6 internet access (if applicable)
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 9092 \
  --cidr ::/0

Step 3: Add a restricted rule (if needed)

Replace <TRUSTED_CIDR> with your VPC CIDR or trusted IP range:

aws ec2 authorize-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 9092 \
  --cidr <TRUSTED_CIDR>

CloudFormation (optional)

Use this template to create a security group with restricted Kafka access:

AWSTemplateFormatVersion: '2010-09-09'
Description: Security group with restricted Kafka access

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID where the security group will be created
  TrustedCidr:
    Type: String
    Default: 10.0.0.0/8
    Description: CIDR block allowed to access Kafka

Resources:
  KafkaSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for Kafka brokers with restricted access
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 9092
          ToPort: 9092
          CidrIp: !Ref TrustedCidr
          Description: Kafka access from trusted network only
      Tags:
        - Key: Name
          Value: kafka-restricted-sg

Outputs:
  SecurityGroupId:
    Description: Security group ID
    Value: !Ref KafkaSecurityGroup

Deploy with:

aws cloudformation deploy \
  --region us-east-1 \
  --template-file kafka-sg.yaml \
  --stack-name kafka-security-group \
  --parameter-overrides VpcId=<YOUR_VPC_ID> TrustedCidr=10.0.0.0/8

Terraform (optional)

variable "vpc_id" {
  description = "VPC ID where the security group will be created"
  type        = string
}

variable "trusted_cidr_blocks" {
  description = "CIDR blocks allowed to access Kafka"
  type        = list(string)
  default     = ["10.0.0.0/8"]
}

resource "aws_security_group" "kafka" {
  name        = "kafka-restricted-sg"
  description = "Security group for Kafka brokers with restricted access"
  vpc_id      = var.vpc_id

  ingress {
    description = "Kafka access from trusted network only"
    from_port   = 9092
    to_port     = 9092
    protocol    = "tcp"
    cidr_blocks = var.trusted_cidr_blocks
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "kafka-restricted-sg"
  }
}

output "security_group_id" {
  description = "ID of the Kafka security group"
  value       = aws_security_group.kafka.id
}

Verification

After making changes, verify that the rule has been removed:

1. Go to EC2 > Security Groups in the AWS Console
2. Select the security group you modified
3. Check the Inbound rules tab
4. Confirm there are no rules allowing port 9092 from 0.0.0.0/0 or ::/0

CLI verification

Run this command to check for any remaining internet-exposed Kafka rules:

aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=9092" \
            "Name=ip-permission.to-port,Values=9092" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].GroupId" \
  --output text

If no output is returned, all Kafka ports are properly restricted.

You can also re-run the Prowler check:

prowler aws --checks ec2_instance_port_kafka_exposed_to_internet --region us-east-1

Additional Resources

• AWS Security Groups Documentation
• AWS VPC Security Best Practices
• Apache Kafka Security Documentation
• Prowler Check Documentation

Notes

• Service disruption warning: Removing internet access to Kafka will disconnect any clients connecting from outside your VPC. Ensure you have alternative connectivity (VPN, VPC peering, PrivateLink) before making changes.
• Multiple security groups: An EC2 instance can have multiple security groups. Check all attached security groups for exposed Kafka ports.
• Defense in depth: Consider additional security measures such as:
  • Moving Kafka brokers to private subnets
  • Using AWS PrivateLink for cross-VPC access
  • Enabling TLS encryption for Kafka connections
  • Implementing Kafka ACLs for topic-level access control
  • Adding Network ACLs as an additional layer of protection

Compliance

This check helps meet requirements in the following frameworks:

• C5
• ISO27001
• KISA-ISMS-P
• NIS2
• SOC2