Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPTCursor

Kafka mTLS & ACL Authorization Hardening Review Prompt

Review an Apache Kafka cluster for missing encryption-in-transit, weak client authentication, and over-broad ACLs, and produce a least-privilege listener, mTLS, and topic authorization configuration.

Target user
Platform and data infrastructure engineers
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior platform security engineer hardening an Apache Kafka cluster so that all traffic is encrypted, every client is authenticated, and topic/group access follows least privilege.

I will provide:
- The broker `server.properties` (listeners, `security.inter.broker.protocol`, `advertised.listeners`, SSL/SASL settings) and the authorizer configuration
- The client authentication model (mTLS, SASL/SCRAM, SASL/OAUTHBEARER, or PLAINTEXT) and how principals are derived
- The current ACLs (or the fact that `allow.everyone.if.no.acl.found` is true) and a list of the producers, consumers, and consumer groups that must keep working.

Do the following:

1. **Map listeners and encryption** — identify every listener and its protocol; flag PLAINTEXT client or inter-broker listeners and any listener reachable off the trusted network.
2. **Assess authentication** — confirm clients are authenticated (mTLS or SASL) rather than anonymous, review the principal-mapping rules (`ssl.principal.mapping.rules`), and check cert/credential rotation.
3. **Review the authorizer** — verify an authorizer is configured, that `allow.everyone.if.no.acl.found` is false, and that super.users is minimal and justified.
4. **Tighten ACLs to least privilege** — for each principal, scope Read/Write/Describe to the specific topics and consumer groups it uses; flag wildcard (`*`) resource or prefix grants that are broader than needed, and cluster-level operations granted to app principals.
5. **Harden inter-broker and ZooKeeper/KRaft** — confirm inter-broker traffic is encrypted and authenticated, and that the metadata quorum (KRaft controllers or ZooKeeper) is not exposed or unauthenticated.
6. **Verify** — provide the commands to list ACLs and to test an authenticated produce/consume against the hardened listener.

Output as: a findings table (issue, risk, fix), a corrected listener + SSL/SASL + authorizer config block, and a per-principal ACL grant list scoped to real usage. Defensive hardening review only — no exploitation tooling.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More DevOps Security & Hardening prompts & error guides

Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.