Policy Tiers and Tier Selection Guide
This guide helps you choose the right KafkaGuard policy tier for your environment and understand the differences between available policy options.
Table of Contents
- Policy Tier Overview
- Tier Decision Framework
- Tier Comparison Matrix
- Policy Tier Details
- Tier Selection Checklist
- Quick Tier Selection Commands
- Tier Transition Strategies
Policy Tier Overview
KafkaGuard provides three policy tiers designed for different environments and compliance requirements:
| Tier | Controls | Focus | Best For | File |
|---|---|---|---|---|
| baseline-dev | 21 | Reliability + Operations | Development, testing | policies/baseline-dev.yaml |
| enterprise-default | 45 | Security + Reliability + Operations | Production, enterprise | policies/enterprise-default.yaml |
| finance-iso | 55 | Advanced Compliance | Regulated industries | policies/finance-iso.yaml |
Key Differentiators:
- Security controls: baseline-dev has none; enterprise-default adds 15; finance-iso adds 10 more
- Compliance mapping: Enterprise and Finance tiers include PCI-DSS, SOC 2, ISO 27001 IDs in every report
- KRaft support: All tiers detect KRaft automatically; KG-052–056 activate on KRaft clusters
Tier Decision Framework
Which tier should I use?
| My situation | Recommended tier |
|---|---|
| Local dev, sandbox, CI test cluster | baseline-dev |
| Production cluster, no regulatory requirement | enterprise-default |
| Production + PCI-DSS / HIPAA / ISO 27001 certification | finance-iso |
| Staging / pre-prod | enterprise-default |
| Air-gapped, internal data only | baseline-dev or enterprise-default |
Step-by-step selection
Step 1 — Is this a production cluster?
- No → use
baseline-dev - Yes → go to Step 2
Step 2 — Does it handle customer, financial, or health data?
- No → use
enterprise-default - Yes → go to Step 3
Step 3 — Is your industry regulated (finance, healthcare, government)?
- No → use
enterprise-default - Yes → use
finance-iso
Tier Comparison Matrix
| Criteria | baseline-dev | enterprise-default | finance-iso |
|---|---|---|---|
| Total controls | 21 | 45 | 55 |
| Security controls | 0 | 15 | 25 |
| Reliability controls | 8 | 16 | 16 |
| Operational controls | 13 | 13 | 13 |
| Security protocol | PLAINTEXT, SSL | SASL_SSL (required) | SASL_SSL + mTLS |
| Compliance mappings | — | PCI-DSS · SOC 2 · ISO 27001 | PCI-DSS · SOC 2 · ISO 27001 |
| KRaft controls | auto-activate | auto-activate | auto-activate |
| Typical scan time | ~8 s | ~10 s | ~12 s |
Policy Tier Details
baseline-dev (21 Controls)
Focus: Reliability and operational checks for development environments Best For: Dev clusters, sandboxes, CI/CD test clusters Security: No security controls — PLAINTEXT clusters are fine here
Control breakdown
| Category | Count | What it checks |
|---|---|---|
| Reliability | 8 | Replication factor ≥ 3, min ISR ≥ 2, ZK quorum, partition health, log retention |
| Operational | 13 | Auto-create topics, delete topic flag, log dirs, GC logging, network threads, JMX |
Sample controls
| Control | Title | Severity |
|---|---|---|
| KG-016 | Replication factor ≥ 3 | MEDIUM |
| KG-017 | Min in-sync replicas ≥ 2 | MEDIUM |
| KG-019 | ZooKeeper quorum healthy (≥3 nodes) | MEDIUM |
| KG-022 | ZK quorum odd node count | MEDIUM |
| KG-028 | Auto-create topics disabled | MEDIUM |
| KG-030 | Delete topic disabled | MEDIUM |
| KG-040 | GC logging enabled | LOW |
Scan commands
# Basic dev scan (PLAINTEXT)
kafkaguard scan \
--bootstrap localhost:9092 \
--policy policies/baseline-dev.yaml \
-f html,json \
--out ./reports
# Dev with SSL encryption
kafkaguard scan \
--bootstrap kafka-dev.example.com:9093 \
--security-protocol SSL \
--tls-ca-cert /path/to/ca-cert.pem \
--policy policies/baseline-dev.yaml \
-f html \
--out ./reports
Expected results on a well-configured dev cluster:
- 17–19 / 21 controls passing
- Score: 80–95%
enterprise-default (45 Controls)
Focus: Security, reliability, and operational validation for production environments Best For: Production clusters, standard PCI-DSS / SOC 2 / ISO 27001 compliance Security: SASL_SSL required — PLAINTEXT clusters will fail multiple controls
Control breakdown
| Category | Count | What it checks |
|---|---|---|
| Security | 15 | SASL auth, SSL/TLS, ACLs, inter-broker encryption, monitoring endpoint security |
| Reliability | 16 | All baseline-dev + leader election, quota enforcement, unclean leader election |
| Operational | 13 | Same as baseline-dev |
Security controls added over baseline-dev
| Control | Title | Severity |
|---|---|---|
| KG-001 | SASL authentication enabled | HIGH |
| KG-002 | SSL/TLS encryption enabled | HIGH |
| KG-003 | ACL authorization enabled | HIGH |
| KG-007 | Inter-broker encryption enabled | HIGH |
| KG-008 | ZooKeeper authentication enabled | MEDIUM |
| KG-009 | ZooKeeper ACLs enabled | MEDIUM |
| KG-012 | Client authentication required | HIGH |
| KG-014 | Security protocol valid | HIGH |
| KG-015 | Monitoring endpoint security | MEDIUM |
Scan commands
# Production scan with SASL_SSL + SCRAM-SHA-512
export KAFKAGUARD_SASL_USERNAME="kafkaguard"
export KAFKAGUARD_SASL_PASSWORD="your-password"
kafkaguard scan \
--bootstrap kafka1.prod:9095,kafka2.prod:9095,kafka3.prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
-f json,html,pdf \
--out /var/reports/kafkaguard \
--fail-on high
# Upload to on-prem dashboard
kafkaguard scan \
--bootstrap kafka-prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/certs/ca.pem \
--policy policies/enterprise-default.yaml \
-f json \
--upload http://dashboard:3001
Expected results on a compliant production cluster:
- 37–41 / 45 controls passing
- Score: 80–95%
finance-iso (55 Controls)
Focus: Advanced compliance for regulated industries — finance, healthcare, government Best For: PCI-DSS Level 1, HIPAA, ISO 27001 certified environments Security: Highest — SASL_SSL + mTLS, strict retention, audit logging Plan: Available on all tiers including Community (free CLI)
This policy includes all 45 controls from enterprise-default plus 10 additional controls covering audit logging, data retention, mutual TLS, cipher suites, and access restriction.
10 additional controls over enterprise-default
| Control | Title | Severity | Compliance |
|---|---|---|---|
| KG-041 | Audit logging enabled | HIGH | PCI-DSS 10.1, ISO 27001 A.12.4 |
| KG-042 | Log retention ≥ 90 days | MEDIUM | PCI-DSS 10.7, SOC 2 CC7.3 |
| KG-043 | Encryption at rest configured | HIGH | PCI-DSS 3.4, ISO 27001 A.10.1 |
| KG-044 | Broker-to-broker mutual TLS | HIGH | PCI-DSS 4.1, ISO 27001 A.13.1 |
| KG-045 | No deprecated TLS protocols (≥1.2) | HIGH | PCI-DSS 4.1, HIPAA |
| KG-046 | Strong cipher suites only | HIGH | PCI-DSS 4.1, ISO 27001 A.10.1 |
| KG-047 | ACL deny rules configured | MEDIUM | ISO 27001 A.9.4.1, SOC 2 CC6.1 |
| KG-048 | Admin access restricted (≤3 principals) | HIGH | SOC 2 CC6.2, ISO 27001 A.9.2.3 |
| KG-049 | Data retention policies enforced | MEDIUM | PCI-DSS 3.1, GDPR Art. 5 |
| KG-050 | Compliance metadata configured | LOW | SOC 2 CC7.1, GDPR Art. 30 |
Scan command
export KAFKAGUARD_SASL_USERNAME="kafkaguard-finance"
export KAFKAGUARD_SASL_PASSWORD="your-password"
kafkaguard scan \
--bootstrap kafka-finance.prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/finance-iso.yaml \
-f json,html,pdf \
--out /var/reports/kafkaguard/finance \
--fail-on medium
Expected results on a compliant regulated cluster:
- 49–53 / 55 controls passing
- Score: 88–96%
KRaft & Confluent Platform Controls (v2.1.0+)
These controls activate automatically — no configuration needed. They are included in all three tiers but only evaluated when the cluster type matches.
| Control | Title | Severity | Activates on |
|---|---|---|---|
| KG-052 | KRaft controller quorum size ≥ 3 | MEDIUM | Kafka 3.9.x / 4.x (KRaft) |
| KG-053 | All KRaft controller voters healthy | HIGH | Kafka 3.9.x / 4.x (KRaft) |
| KG-054 | Metadata log replication not lagging | HIGH | Kafka 3.9.x / 4.x (KRaft) |
| KG-055 | Confluent version matches Kafka version | LOW | Confluent Platform 7.x–8.x |
ZooKeeper-specific controls auto-skip on KRaft clusters. KRaft controls auto-skip on ZooKeeper clusters.
Tier Selection Checklist
- Dev / sandbox / CI? →
baseline-dev - Production, no regulatory requirement? →
enterprise-default - Regulated industry (finance/healthcare/gov)? →
finance-iso - SASL auth required? →
enterprise-defaultor higher - PCI-DSS / SOC 2 / ISO 27001 compliance needed? →
enterprise-defaultor higher - HIPAA / mTLS / audit logging required? →
finance-iso - CI/CD pipeline scanning? →
enterprise-default(production-like)
Quick Tier Selection Commands
Development
kafkaguard scan --bootstrap localhost:9092
# Uses enterprise-default by default; pass --policy for baseline-dev
kafkaguard scan --bootstrap localhost:9092 --policy policies/baseline-dev.yaml
Production
export KAFKAGUARD_SASL_USERNAME="kafkaguard"
export KAFKAGUARD_SASL_PASSWORD="your-password"
kafkaguard scan \
--bootstrap kafka-prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
-f json,html,pdf \
--out /var/reports/kafkaguard
CI/CD Pipeline
if [ "$ENVIRONMENT" = "production" ]; then
POLICY="policies/enterprise-default.yaml"
FAIL_ON="high"
else
POLICY="policies/baseline-dev.yaml"
FAIL_ON="medium"
fi
kafkaguard scan \
--bootstrap "$KAFKA_BROKER" \
--policy "$POLICY" \
-f json \
--fail-on "$FAIL_ON"
Multi-Environment
declare -A ENV_POLICIES=(
["dev"]="policies/baseline-dev.yaml"
["staging"]="policies/enterprise-default.yaml"
["prod"]="policies/enterprise-default.yaml"
)
for env in "${!ENV_POLICIES[@]}"; do
echo "Scanning $env..."
kafkaguard scan \
--bootstrap "kafka-$env:9092" \
--policy "${ENV_POLICIES[$env]}" \
-f json \
--out "./reports/$env"
done
Tier Transition Strategies
baseline-dev → enterprise-default
# 1. Test in staging
kafkaguard scan \
--bootstrap kafka-staging:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-256 \
--tls-ca-cert /path/to/ca-cert.pem \
--policy policies/enterprise-default.yaml \
-f html \
--out ./transition-test
# 2. Fix gaps: enable SASL, configure TLS certs, set up ACLs
# 3. Enforce in production
kafkaguard scan \
--bootstrap kafka-prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
-f json,html,pdf \
--out /var/reports/kafkaguard \
--fail-on high
Custom Policy
# Start from the tier closest to your needs
cp policies/enterprise-default.yaml policies/custom-org.yaml
# Validate before use
kafkaguard validate-policy --policy policies/custom-org.yaml
# Test
kafkaguard scan \
--bootstrap kafka-test:9092 \
--policy policies/custom-org.yaml \
-f json
Gradual Rollout (warn before enforce)
# Phase 1: observe (no exit code failure)
kafkaguard scan \
--bootstrap kafka:9092 \
--policy policies/baseline-dev.yaml \
-f json,html
# Phase 2: warn only (fails on medium+ but team reviews)
kafkaguard scan \
--bootstrap kafka:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/certs/ca.pem \
--policy policies/enterprise-default.yaml \
--fail-on medium \
-f json,html
# Phase 3: enforce
kafkaguard scan \
--bootstrap kafka:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/certs/ca.pem \
--policy policies/enterprise-default.yaml \
--fail-on high \
-f json,html,pdf
Next Steps
- Policy Creation Guide — Customize policies for your requirements
- CLI Reference — All scan command flags
- Configuration Guide — Environment-level configuration
Document Information
- Last Updated: 2026-04-25
- Applies to Version: KafkaGuard 2.3.0+