Kafka mTLS & ACL Authorization Hardening Review Prompt
Review an Apache Kafka cluster for missing encryption-in-transit, weak client authentication, and over-broad ACLs, and produce a least-privilege listener, mTLS, and topic authorization configuration.
- Target user
- Platform and data infrastructure engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform security engineer hardening an Apache Kafka cluster so that all traffic is encrypted, every client is authenticated, and topic/group access follows least privilege. I will provide: - The broker `server.properties` (listeners, `security.inter.broker.protocol`, `advertised.listeners`, SSL/SASL settings) and the authorizer configuration - The client authentication model (mTLS, SASL/SCRAM, SASL/OAUTHBEARER, or PLAINTEXT) and how principals are derived - The current ACLs (or the fact that `allow.everyone.if.no.acl.found` is true) and a list of the producers, consumers, and consumer groups that must keep working. Do the following: 1. **Map listeners and encryption** — identify every listener and its protocol; flag PLAINTEXT client or inter-broker listeners and any listener reachable off the trusted network. 2. **Assess authentication** — confirm clients are authenticated (mTLS or SASL) rather than anonymous, review the principal-mapping rules (`ssl.principal.mapping.rules`), and check cert/credential rotation. 3. **Review the authorizer** — verify an authorizer is configured, that `allow.everyone.if.no.acl.found` is false, and that super.users is minimal and justified. 4. **Tighten ACLs to least privilege** — for each principal, scope Read/Write/Describe to the specific topics and consumer groups it uses; flag wildcard (`*`) resource or prefix grants that are broader than needed, and cluster-level operations granted to app principals. 5. **Harden inter-broker and ZooKeeper/KRaft** — confirm inter-broker traffic is encrypted and authenticated, and that the metadata quorum (KRaft controllers or ZooKeeper) is not exposed or unauthenticated. 6. **Verify** — provide the commands to list ACLs and to test an authenticated produce/consume against the hardened listener. Output as: a findings table (issue, risk, fix), a corrected listener + SSL/SASL + authorizer config block, and a per-principal ACL grant list scoped to real usage. Defensive hardening review only — no exploitation tooling.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
gRPC TLS, Authentication & Authorization Review Prompt
Review a gRPC service for insecure channels, missing per-call authentication, and absent method-level authorization, and produce a hardened transport, credential, and interceptor design.
-
Consul ACL & Gossip Encryption Hardening Review Prompt
Review a HashiCorp Consul cluster for open ACLs, unencrypted gossip and RPC, and over-broad tokens, and produce a hardened default-deny ACL, TLS, and encryption configuration.
-
Ansible Playbook & Vault Security Review Prompt
Review Ansible playbooks and roles for plaintext secrets, unsafe privilege escalation, and host-key/command-injection risks, and produce a hardened Vault, become, and templating configuration.
-
Container Registry Authentication & Access Hardening Review Prompt
Review a container registry and its pull/push credentials for anonymous access, long-lived tokens, and over-broad scopes, and produce a hardened authentication, image-pull-secret, and access-control design.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.