Kafka clusters often carry high-value event streams and must be hardened at broker, client, and topic levels.
¶ Authentication and Encryption
- Enable TLS for client-broker and inter-broker traffic.
- Use SASL/SCRAM or mTLS auth with strict principal mapping.
- Disable plaintext listeners in production.
¶ Authorization and Multi-Tenancy
- Enforce ACLs per topic, group, and transactional ID.
- Separate tenants/projects with naming and ACL policy boundaries.
- Restrict admin operations to dedicated principals.
¶ Cluster and Data Protection
- Secure ZooKeeper/KRaft controller access.
- Encrypt disks and backups containing topic data.
- Monitor auth failures, partition reassignments, and unusual consumer lag.