Amazon MSK began with support for mutual TLS authN/Z, and then offered SASL/SCRAM, which are standard Apache Kafka security options. Traditionally, Apache Kafka comes with its own ways of managing authentication and authorization. These new features complete the suite of existing security features for Amazon MSK such as Amazon VPC integration for private connectivity and network isolation, at-rest encryption via AWS Key Management Service (AWS KMS), and encryption in transit via TLS.
This is a game-changer from a security perspective for AWS customers who use Apache Kafka: I recommend Amazon MSK customers use IAM Access Control unless they have a specific need for using mutual TLS or SASL/SCRAM authN/Z.Īs a cherry on the cake, IAM Access Control logs events related to Apache Kafka resource changes to Amazon CloudTrail, such as topic creation, adding partitions, and topic configuration modifications, which can be very helpful for adding an audit layer to your Apache Kafka clusters (something you could only obtain otherwise by parsing unstructured Apache Kafka logs). This eliminates the need for administrators to run an unfamiliar system to control access to Apache Kafka on Amazon MSK, and learn intricate details and specific commands to manage Apache Kafka access control lists (ACLs). This is a guest blog post by AWS Data Hero Stephane Maarek.ĪWS launched IAM Access Control for Amazon MSK, which is a security option offered at no additional cost that simplifies cluster authentication and Apache Kafka API authorization using AWS Identity and Access Management (IAM) roles or user policies to control access.
0 kommentar(er)
