The SOC 2 Auditor Will Ask About Your Kafka Clusters
If Apache Kafka carries customer data, processes payments, or handles healthcare records, it will be in scope for your SOC 2 Type II audit. Most teams don't realise this until the auditor is already in the room.
When it happens, you'll need evidence for questions like:
- "How do you ensure only authorised principals can read from Kafka topics?"
- "Is inter-broker communication encrypted in transit?"
- "How do you detect and respond to misconfigured ACLs?"
- "What controls prevent wildcard ACLs from granting unrestricted access?"
Manual answers take weeks to gather. KafkaGuard generates audit-ready evidence in 90 seconds.
The 55 Controls — By Category
Security Controls (25)
These map directly to SOC 2 Trust Service Criteria CC6 (Logical Access) and CC7 (System Operations).
| Control | What it checks | SOC 2 Criteria |
|---|---|---|
| KG-001 | SASL authentication enabled on all brokers | CC6.1, CC6.3 |
| KG-002 | SSL/TLS encryption enabled | CC6.1, CC6.7 |
| KG-003 | ACL authorization enabled | CC6.1, CC6.3 |
| KG-004 | No wildcard ACLs (User:*) | CC6.3, CC6.6 |
| KG-005 | TLS certificates not expiring within 30 days | CC6.7 |
| KG-006 | TLS protocol ≥ 1.2 (no TLS 1.0/1.1) | CC6.7 |
| KG-007 | Inter-broker communication encrypted | CC6.7 |
| KG-008 | ZooKeeper authentication enabled | CC6.1 |
| KG-009 | ZooKeeper ACLs enabled | CC6.1 |
| KG-010 | No default or weak passwords | CC6.1 |
| KG-011 | SASL mechanism is SCRAM-256, SCRAM-512, or GSSAPI | CC6.1 |
| KG-012 | Client authentication required | CC6.1 |
| KG-013 | SSL endpoint identification configured | CC6.7 |
| KG-014 | Security protocol is SSL or SASL_SSL | CC6.7 |
| KG-015 | Monitoring endpoint secured | CC7.2 |
| KG-041 | Audit logging enabled | CC7.2, CC7.3 |
| KG-042 | Log retention ≥ 90 days | CC7.2 |
| KG-043 | Encryption at rest configured | CC6.7 |
| KG-044 | Mutual TLS for inter-broker | CC6.7 |
| KG-045 | No deprecated TLS protocols | CC6.7 |
| KG-046 | Strong cipher suites only (AES-256-GCM) | CC6.7 |
| KG-047 | Explicit deny ACL rules present | CC6.3 |
| KG-048 | Admin access restricted (≤ 3 principals) | CC6.3 |
| KG-049 | Data retention policies enforced | CC6.4 |
| KG-056 | KRaft authorizer compatible with controller listener | CC6.1 |
Reliability Controls (16)
Map to CC7 (System Availability) and CC9 (Risk Mitigation).
| Control | What it checks | SOC 2 Criteria |
|---|---|---|
| KG-016 | Replication factor ≥ 3 | CC9.1 |
| KG-017 | Min in-sync replicas ≥ 2 | CC9.1 |
| KG-018 | No under-replicated partitions | CC7.1 |
| KG-019 | No offline partitions | CC7.1 |
| KG-020 | Unclean leader election disabled | CC9.1 |
| KG-021 | Log retention configured | CC6.4 |
| KG-022 | ZooKeeper quorum ≥ 3 nodes | CC9.1 |
| KG-023 | Broker versions consistent | CC8.1 |
| KG-024 | Broker disk usage < 90% | CC7.1 |
| KG-025 | Broker heap usage < 85% | CC7.1 |
| KG-026 | Network threads configured | CC7.1 |
| KG-027 | Leader election timeout configured | CC7.1 |
| KG-052 | KRaft controller quorum ≥ 3 | CC9.1 |
| KG-053 | All KRaft voters healthy | CC7.1 |
| KG-054 | KRaft metadata log lag ≤ 1000 | CC7.1 |
| KG-055 | Confluent version matches Kafka version | CC8.1 |
Operational Controls (14)
| Control | What it checks |
|---|---|
| KG-028 | Auto-create topics disabled |
| KG-029 | Log directories not in /tmp |
| KG-030 | Delete topic disabled |
| KG-031 | Compression configured |
| KG-032 | Log segment bytes ≥ 1GB |
| KG-033 | Log retention hours configured |
| KG-034 | Network threads ≥ 8 |
| KG-035 | IO threads ≥ 8 |
| KG-036 | Send buffer bytes configured |
| KG-037 | Receive buffer bytes configured |
| KG-038 | Replica fetch max bytes configured |
| KG-039 | Message max bytes configured |
| KG-040 | GC logging enabled |
| KG-051 | Monitoring type configured |
The 5 Controls Auditors Care About Most
In our experience scanning production clusters, these five are the most common audit failures:
1. Wildcard ACLs (KG-004)
User:* grants every principal on the cluster read/write access to every topic. It's the Kafka equivalent of chmod 777. Auditors will flag this immediately.
Fix: Replace with explicit principal-based ACLs. Run kafka-acls --list to inventory current ACLs.
2. No Audit Logging (KG-041)
SOC 2 CC7.2 requires evidence that you can detect who accessed what. Without an authorizer class configured, you have no audit trail.
Fix: Set authorizer.class.name=kafka.security.authorizer.AclAuthorizer (Kafka 3.x) or org.apache.kafka.metadata.authorizer.StandardAuthorizer (Kafka 4.0+ KRaft).
3. Log Retention < 90 Days (KG-042)
Auditors need to see historical access logs. If you purge logs in 7 days, there's nothing to show.
Fix: Set log.retention.hours=2160 (90 days) for compliance-sensitive topics.
4. TLS 1.0/1.1 Enabled (KG-045)
PCI-DSS 4.0 and SOC 2 both require that deprecated TLS versions are disabled. TLS 1.0 has known vulnerabilities.
Fix: Set ssl.enabled.protocols=TLSv1.2,TLSv1.3 on all brokers.
5. No Min-ISR Enforcement (KG-017)
If min.insync.replicas=1, a single broker failure can cause acknowledged writes to be lost — a data integrity issue that directly affects CC9.1 (risk mitigation).
Fix: Set min.insync.replicas=2 and acks=all on producers for critical topics.
See a Real Kafka Audit Report
This is an actual KafkaGuard scan output from a live Kafka 3.9 cluster — Team tier, ZooKeeper mode, SASL_SSL + SCRAM-SHA-256, finance-iso policy (55 controls, 88.4% compliance score, full PCI-DSS / SOC 2 / ISO 27001 mapping). The Community edition shows 55 controls without compliance framework IDs; upgrade to Starter for PCI-DSS, SOC 2, and ISO 27001 mappings in every report.
The report shows 48 controls passing (88.4% score) and 7 failing — with exact SOC 2 control IDs and remediation steps for every finding. This is what you hand to your auditor.
Running the Audit in 90 Seconds
# Download KafkaGuard
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz
tar -xzf kafkaguard_Linux_x86_64.tar.gz
# Run the full SOC 2 scan
./kafkaguard scan \
--bootstrap kafka-prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-256 \
--sasl-username auditor \
--sasl-password <password> \
--tls-ca-cert /path/to/ca.pem \
--policy policies/finance-iso.yaml \
--format pdf,json \
--out ./audit-evidence
The PDF report includes:
- Overall compliance score (0–100%)
- Each control with PASS/FAIL/N/A status
- SOC 2 CC control IDs pre-mapped for every finding
- Remediation steps for every failure
Hand the PDF directly to your auditor. No manual evidence gathering required.
What to Do With the Results
- CRITICAL/HIGH failures — Fix before the audit window. No exceptions.
- MEDIUM failures — Document compensating controls if you can't fix immediately.
- LOW failures — Note in your risk register with planned remediation date.
- Run again after remediation to verify — takes 90 seconds.
Policy Tiers
KafkaGuard includes three policy tiers. For SOC 2:
baseline-dev(21 controls) — Development clusters onlyenterprise-default(45 controls) — Production; maps to SOC 2 CC6, CC7, CC8, CC9finance-iso(55 controls) ⭐ — Full SOC 2 + PCI-DSS 4.0 + ISO 27001; recommended for regulated industries
# SOC 2 scan with enterprise-default policy
./kafkaguard scan --bootstrap kafka:9095 --policy policies/enterprise-default.yaml -f pdf
Download KafkaGuard — Free
The Community edition is free forever, covers all 55 controls, and produces HTML + JSON reports.