Posted On: May 6, 2021

Today we announced AWS Identity and Access Management (IAM) Access Control for Amazon MSK. IAM Access Control is a security option offered at no additional cost that simplifies cluster authentication and Apache Kafka API authorization using IAM role or user policies to control access. By using IAM Access Control, customers no longer need to build and run one-off access management systems to control client authentication and authorization for Apache Kafka, and MSK clusters are secured using least privileged permissions by default.  

In a few clicks, customers can enable IAM Access Control during the MSK cluster creation step. Next, they define IAM polices for users and roles to control the identities that may access an MSK cluster and control the actions these clients can take on Apache Kafka APIs. For example, customers can write an IAM policy to control which clients may connect to clusters, and write to or read from Apache Kafka topics. This eliminates the need to use an unfamiliar authentication or authorization system just for Apache Kafka. All clients need to be configured with the Apache 2.0 licensed aws-msk-iam-auth library which infers and sends IAM credentials securely to MSK using SigV4 request signing.

MSK’s integration with IAM supports standard IAM features including tag, condition keys, user, and role-based access control, and support for external identity providers including OpenID Connect for OAuthBearer authentication. IAM Access Control also logs events related to Apache Kafka resources, including topic creation, adding partitions, and topic configuration modifications to AWS CloudTrail for auditing. IAM Access Control is available for new MSK clusters in all regions where MSK is available.

Visit the MSK user documentation to get started.