Scanning Managed Kafka Services
KafkaGuard supports all major managed Kafka services. Each provider requires authentication credentials passed via CLI flags or environment variables.
Confluent Cloud
kafkaguard scan \
--bootstrap pkc-xxxxx.us-east-1.aws.confluent.cloud:9092 \
--sasl-username $CONFLUENT_API_KEY \
--sasl-password $CONFLUENT_API_SECRET \
--policy policies/finance-iso.yaml \
--format pdf \
--out ./confluent-audit
Set credentials via environment:
export KAFKA_SASL_USERNAME=your-api-key
export KAFKA_SASL_PASSWORD=your-api-secret
kafkaguard scan --bootstrap pkc-xxxxx.confluent.cloud:9092 --policy policies/finance-iso.yaml
Amazon MSK
SASL/SCRAM authentication:
kafkaguard scan \
--bootstrap b-1.xxxxx.kafka.us-east-1.amazonaws.com:9096 \
--sasl-username $MSK_USERNAME \
--sasl-password $MSK_PASSWORD \
--policy policies/enterprise-default.yaml
IAM authentication: Not currently supported — use SASL/SCRAM or unauthenticated access (for private VPC clusters).
Aiven for Apache Kafka
Aiven uses SSL client certificates:
kafkaguard scan \
--bootstrap kafka-xxxxx.aivencloud.com:12345 \
--ssl-ca-cert /path/to/ca.pem \
--ssl-cert /path/to/service.cert \
--ssl-key /path/to/service.key \
--policy policies/finance-iso.yaml
Download certificates from the Aiven Console → your service → Overview tab.
Redpanda Cloud
kafkaguard scan \
--bootstrap seed-xxxxx.cloud.redpanda.com:9092 \
--sasl-username $REDPANDA_USERNAME \
--sasl-password $REDPANDA_PASSWORD \
--policy policies/finance-iso.yaml
Redpanda Self-Hosted
If running Redpanda without authentication (development):
kafkaguard scan \
--bootstrap localhost:9092 \
--policy policies/baseline-dev.yaml
Notes
- KRaft auto-detection: KafkaGuard auto-detects KRaft vs ZooKeeper mode. All managed services above use KRaft — KG-052 through KG-056 (KRaft controls) are evaluated automatically.
- KG-055 (Confluent version): Only applies to Confluent Platform — not Confluent Cloud, MSK, Aiven, or Redpanda.
- Port: Use the SSL port from your provider (typically 9092 for SASL_SSL).