Kafka Security Best Practices SSL Kerberos and ACLs
Secure your Kafka cluster with authentication, encryption, and access control using SSL, Kerberos, and ACLs
Apache Kafka is a powerful distributed event streaming platform used by enterprises to process real-time data. However, as Kafka becomes central to business-critical applications, securing your Kafka infrastructure becomes essential.
This guide outlines Kafka security best practices, focusing on three key pillars:
- SSL for encrypting data in transit
- Kerberos for strong authentication
- ACLs (Access Control Lists) for fine-grained authorization
Implementing these correctly helps protect against data leaks, unauthorized access, and man-in-the-middle attacks.
1. Enable SSL Encryption (TLS)
SSL/TLS secures the communication between Kafka brokers, producers, and consumers.
π Why SSL?
- Encrypts data over the network
- Prevents packet sniffing and tampering
- Authenticates brokers and clients using certificates
β How to Enable SSL
In server.properties:
listeners=SSL://your.host.name:9093
security.inter.broker.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=changeit
Make sure:
- All Kafka clients are configured with the truststore
- Certificates are signed by a valid CA (can be internal)
2. Enable Kerberos for Authentication
Kerberos provides mutual authentication between Kafka brokers and clients using tickets and keytabs.
π Why Kerberos?
- Prevents spoofing and impersonation
- Integrates with enterprise identity systems (e.g., Active Directory)
- Supports SASL for secure, pluggable auth
β Configure Kafka for Kerberos (SASL/GSSAPI)
- Add to
server.properties:
listeners=SASL_SSL://your.host.name:9094
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
- Create a JAAS config file:
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka.service.keytab"
principal="kafka/your.host.name@YOUR.REALM";
};
- Add JVM options:
-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf
- Create service principals for Kafka and each broker in your KDC.
3. Implement Access Control with ACLs
ACLs define who can do what in Kafka. Without them, any authenticated user can access everything.
π― ACL Types:
- Produce / Consume
- Create / Delete topics
- Alter configs
- Manage consumer groups
β Enable and Configure ACLs
- Enable in
server.properties:
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
super.users=User:admin;User:alice
- Add ACLs using
kafka-acls.sh:
Allow Alice to consume from sales topic:
kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 \
--add --allow-principal User:alice \
--consumer --topic sales --group sales-group
List all ACLs:
kafka-acls.sh --list --authorizer-properties zookeeper.connect=localhost:2181
4. Combine SSL + SASL for Stronger Security
Use SASL_SSL to authenticate with Kerberos while encrypting traffic:
listeners=SASL_SSL://your.host.name:9094
security.inter.broker.protocol=SASL_SSL
On client side, use a JAAS file and set:
sasl.mechanism=GSSAPI
security.protocol=SASL_SSL
5. Secure Zookeeper Access (Optional but Recommended)
Kafka often uses Zookeeper for metadata storage. Enable Zookeeper auth:
- Use Kerberos + SASL for secure ZK access
- Set
zookeeper.set.acl=trueinserver.properties
6. Monitoring and Auditing
- Enable broker audit logs for ACL denials
- Use SIEM tools to collect and alert on suspicious access
- Monitor for unauthorized topic access or privilege escalation attempts
Best Practices Summary
| Practice | Benefit |
|---|---|
| Enable SSL | Encrypts data in motion |
| Use Kerberos (SASL/GSSAPI) | Strong authentication |
| Configure ACLs | Fine-grained access control |
| Rotate Keys and Certificates | Prevents credential compromise |
| Monitor Access Logs | Detects abuse or misconfigurations |
| Secure Zookeeper | Protects metadata and ACL configs |
Conclusion
Kafka security isnβt just an option β itβs a necessity for protecting sensitive data, ensuring compliance, and maintaining trust in your event-driven systems. By implementing SSL encryption, Kerberos authentication, and fine-grained ACLs, you can build a Kafka deployment that is both secure and resilient.
Always keep your Kafka stack up to date, rotate credentials periodically, and monitor your access patterns to stay ahead of evolving security threats.