[Webinar] Kafka Re-Architected for the Cloud with Kora Engine → Register Today!

Enterprise-Grade Cloud Security & Compliance

Ensure confidentiality, control identity & access management, and protect sensitive data

Confluent Cloud equips teams with the complete set of enterprise-grade tools needed to build and launch data-in-motion apps faster while upholding strict security and compliance requirements.

confluent cloud security blog image

Ensure Data Confidentiality

  • Encrypt data at rest with Bring Your Own Key (BYOK) options
  • Data-in-motion encryption
  • Secure private network connectivity

Control Identity and Access Management

  • SAML/SSO for user access
  • Access control lists (ACLs)
  • RBAC & Audit Logs
  • Secure API/CLI/GUI

Protect Sensitive Data in the Cloud

  • SOC 1, SOC 2, SOC 3
  • ISO 27001
  • PCI, GDPR ready, HITRUST CSF Certified

Ensure Data Confidentiality

Confluent encrypts all data-at-rest by default with further options for data-at-rest available with Bring Your Own Key (BYOK) encryption. All network traffic to clients (data-in-motion) is encrypted with TLS 1.2.

Bring Your Own Key (BYOK) Encryption

BYOK provides you with the ability to encrypt data-at-rest with your own custom key and enables more control for access disabling, should the need ever arise.

BYOK encryption is available on GCP, AWS, and Azure

Secure Networking Options

Confluent clusters are accessible through internet endpoints using secure TLS connections. We also provide secure private networking options, including VPC/VNet peering, AWS PrivateLink, Azure Private Link, and AWS Transit Gateway.

VPC/VNet Peering for AWS, Azure, and Google Cloud

A VPC/VNet peering connection is a networking connection between your VPC/VNet and Confluent Cloud that enables you to route traffic using private IPv4 addresses. VPCs/VNets can communicate with each other as if they are within the same network.

AWS PrivateLink, Azure Private Link and Google Cloud Private Service Connect

AWS PrivateLink, Azure Private Link and Google Cloud Private Service Connect allow for one-way secure connection access from your VPC/VNet to Confluent Cloud with an added protection against data exfiltration. These networking options are popular for their unique combination of security and simplicity of setup.

AWS Transit Gateway

AWS Transit Gateway connects your VPC to Confluent Cloud through a central hub. This simplifies your network and puts an end to complex, full mesh peering relationships. It acts as a cloud router with each new connection only made once.

Control Identity and Access Management

Confluent provides SAML/SSO so you can utilize your preferred identity provider to authenticate user logins to Confluent Cloud.

You have granular access control across your cloud Kafka deployment through service accounts and access control lists (ACLs) in order to gate application access to critical Kafka resources like topics and consumer groups. Whether managing a small deployment or operating at scale, Role-Based Access Control allows you to easily assign permissions to your users based on logical roles.

Role-Based Access Control (RBAC)

Set role-based permissions per user to gate management access to critical resources like production environments, sensitive clusters, kafka topics and billing details. New users can be easily onboarded with specific roles as opposed to broad access to all resources.

Audit Logs

It’s critical to keep a close eye on who is touching your data and what exactly they’re doing with it. Confluent API/CLI/GUI are protected with strict security considerations. Additionally, Audit Logs are available to assist with identification of potential anomalies and bad actors.

Track user/application resource access events through a specific Kafka topic that you can consume in real time like any other Kafka topic and analyze/audit within your service of choice, such as third-party tools like Splunk or Elastic. Audit Logs are enabled by default so you don’t have to take any actions to set them up.

Protect Sensitive Data with Out-of-the-Box Compliance

Confluent Cloud includes built-in compliance including SOC 1/2/3 and ISO 27001 certifications, GDPR/CCPA readiness, and more. Visit our Trust & Security page to learn more.

Secure Your Cloud Data Today

Every minute you spend managing Kafka or developing security controls that are not core to your business is time taken away from building impactful customer experiences and products. Ready to start using the most secure cloud service for data in motion?