MSK clusters are configured to use TLS in transit by default, however this can be overridden. Not using TLS based communication between client and broker makes it vulnerable to network sniffing. In addition, using the latest version of TLS and modern ciphers can help keep data in-transit protected from man-in-the-middle and similar attacks.
References:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html
Encryption settings are configured with TLS 1.2 by default, however this can be overridden at the time a cluster is created. To learn more, see the AWS documentation (below).
In Terraform -
References:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_in_transit