Security Hardening Guide
This document provides an overview of security features and guidance for hardening the security of Charmed Apache Kafka deployments, including setting up and managing a secure environment.
Environment
The environment where Charmed Apache Kafka operates can be divided into two components:
- Cloud
- Juju
Cloud
Charmed Apache Kafka can be deployed on top of several clouds and virtualization layers:
| Cloud | Security guides |
|---|---|
| OpenStack | OpenStack Security Guide |
| AWS | Best Practices for Security, Identity and Compliance, AWS security credentials |
| Azure | Azure security best practices and patterns, Managed identities for Azure resource |
Juju
Juju is the component responsible for orchestrating the entire lifecycle, from deployment to Day 2 operations. For more information on Juju security hardening, see the Juju security page and the How to harden your deployment guide.
Cloud credentials
When configuring cloud credentials to be used with Juju, ensure that users have correct permissions to operate at the required level. Juju superusers responsible for bootstrapping and managing controllers require elevated permissions to manage several kinds of resources, such as virtual machines, networks, storages, etc. Please refer to the links below for more information on the policies required to be used depending on the cloud.
| Cloud | Cloud user policies |
|---|---|
| OpenStack | N/A |
| AWS | Juju AWS Permission, AWS Instance Profiles, Juju on AWS |
| Azure | Juju Azure Permission, How to use Juju with Microsoft Azure |
Juju users
It is very important that Juju users are set up with minimal permissions depending on the scope of their operations. Please refer to the User access levels documentation for more information on the access levels and corresponding abilities.
Juju user credentials must be stored securely and rotated regularly to limit the chances of unauthorized access due to credentials leakage.
Applications
In the following, we provide guidance on how to harden your deployment using:
- Operating system
- Security upgrades
- Encryption
- Authentication
- Monitoring and auditing
Operating system
Charmed Apache Kafka and Charmed Apache ZooKeeper currently run on top of Ubuntu 22.04. Deploy a Landscape Client Charm to connect the underlying VM to a Landscape User Account to manage security upgrades and integrate Ubuntu Pro subscriptions.
Security upgrades
Charmed Apache Kafka and Charmed Apache ZooKeeper operators install a pinned revision of the Charmed Apache Kafka snap and Charmed ZooKeeper snap, respectively, to provide reproducible and secure environments.
New versions of Charmed Apache Kafka and Charmed Apache ZooKeeper may be released to provide patching of vulnerabilities (CVEs). It is important to refresh the charm regularly to make sure the workload is as secure as possible. For more information on how to refresh the charm, see the how-to upgrade guide.
Encryption
Charmed Apache Kafka must be deployed with encryption enabled. To do that, you need to relate Charmed Apache Kafka and Charmed Apache ZooKeeper to one of the TLS certificate operator charms. Please refer to the Charming Security page for more information on how to select the right certificate provider for your use case.
For more information on encryption, see the Cryptography explanation page and the How to enable encryption guide.
Authentication
Charmed Apache Kafka supports the following authentication layers:
- SCRAM-based SASL Authentication
- certificate-base Authentication (mTLS)
- OAuth Authentication using Hydra or Google
Each combination of authentication scheme and encryption is associated with the dedicated listener and it maps to a well-defined port. See the listener reference documentation for more information.
Monitoring and Auditing
Charmed Apache Kafka provides native integration with the Canonical Observability Stack (COS). To reduce the blast radius of infrastructure disruptions, the general recommendation is to deploy COS and the observed application into separate environments, isolated from one another. Refer to the COS production deployments best practices for more information.
For instructions, see the How to integrate the Charmed Apache Kafka deployment with COS and How to customise the alerting rules and dashboards guides.
External user access to Apache Kafka is logged to the kafka-authorizer.log that is pushed to Loki endpoint and exposed via Grafana, both components being part of the COS stack.
Access denials are logged at the INFO level, whereas allowed accesses are logged at the DEBUG level. Depending on the auditing needs,
customize the logging level either for all logs via the log_level config option or
only tune the logging level of the authorizerAppender in the log4j.properties file. See
the file system paths for further information.
Additional Resources
For details on the cryptography used by Charmed Apache Kafka, see the Cryptography explanation page.