AWS Security ChangesHomeSearch

AWS msk documentation change

Service: msk · 2025-04-03 · Documentation medium

File: msk/latest/developerguide/mkc-iam-policy-examples.md

Summary

Updated IAM policy example to use granular permissions instead of wildcards, added specific resource ARNs, restructured policy statements with explicit SIDs, and expanded required actions for MSK Connect components

Security assessment

The change implements least privilege by replacing wildcard permissions with specific actions and resource ARNs, which improves security posture but does not address a specific disclosed vulnerability

Diff

diff --git a/msk/latest/developerguide/mkc-iam-policy-examples.md b/msk/latest/developerguide/mkc-iam-policy-examples.md
index c6ef2a6fa..1b82491f2 100644
--- a//msk/latest/developerguide/mkc-iam-policy-examples.md
+++ b//msk/latest/developerguide/mkc-iam-policy-examples.md
@@ -5 +5 @@
-# Examples of IAM policies for MSK Connect
+# Example of IAM policy for MSK Connect
@@ -13,0 +14 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
+          "Sid": "MSKConnectFullAccess",
@@ -16,12 +17,16 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                    "kafkaconnect:*",
-                    "ec2:CreateNetworkInterface",
-                    "ec2:DescribeSubnets",
-                    "ec2:DescribeVpcs",
-                    "ec2:DescribeSecurityGroups",
-                    "logs:CreateLogDelivery",
-                    "logs:GetLogDelivery",
-                    "logs:DeleteLogDelivery",
-                    "logs:ListLogDeliveries",
-                    "logs:PutResourcePolicy",
-                    "logs:DescribeResourcePolicies",
-                    "logs:DescribeLogGroups"
+            "kafkaconnect:CreateConnector",
+            "kafkaconnect:DeleteConnector",
+            "kafkaconnect:DescribeConnector",
+            "kafkaconnect:GetConnector",
+            "kafkaconnect:ListConnectors",
+            "kafkaconnect:UpdateConnector",
+            "kafkaconnect:CreateCustomPlugin",
+            "kafkaconnect:DeleteCustomPlugin",
+            "kafkaconnect:DescribeCustomPlugin",
+            "kafkaconnect:GetCustomPlugin",
+            "kafkaconnect:ListCustomPlugins",
+            "kafkaconnect:CreateWorkerConfiguration",
+            "kafkaconnect:DeleteWorkerConfiguration",
+            "kafkaconnect:DescribeWorkerConfiguration",
+            "kafkaconnect:GetWorkerConfiguration",
+            "kafkaconnect:ListWorkerConfigurations"
@@ -29 +34,5 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                "Resource": "*"
+          "Resource": [
+            "arn:aws:kafkaconnect:us-east-1:123456789012:connector/*",
+            "arn:aws:kafkaconnect:us-east-1:123456789012:custom-plugin/myCustomPlugin/",
+            "arn:aws:kafkaconnect:us-east-1:123456789012:worker-configuration/myWorkerConfig/"
+          ]
@@ -31,0 +41 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
+          "Sid": "IAMPassRole",
@@ -33,2 +43,2 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                "Action": "iam:CreateServiceLinkedRole",
-                "Resource": "arn:aws:iam::*:role/aws-service-role/kafkaconnect.amazonaws.com/AWSServiceRoleForKafkaConnect*",
+          "Action": "iam:PassRole",
+          "Resource": "arn:aws:iam::123456789012:role/MSKConnectServiceRole",
@@ -36,2 +46,2 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                    "StringLike": {
-                        "iam:AWSServiceName": "kafkaconnect.amazonaws.com"
+            "StringEquals": {
+              "iam:PassedToService": "kafkaconnect.amazonaws.com"
@@ -41,0 +52 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
+          "Sid": "EC2NetworkAccess",
@@ -44,2 +55,6 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                    "iam:AttachRolePolicy",
-                    "iam:PutRolePolicy"
+            "ec2:CreateNetworkInterface",
+            "ec2:DescribeNetworkInterfaces",
+            "ec2:DeleteNetworkInterface",
+            "ec2:DescribeVpcs",
+            "ec2:DescribeSubnets",
+            "ec2:DescribeSecurityGroups"
@@ -47,11 +62 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                "Resource": "arn:aws:iam::*:role/aws-service-role/kafkaconnect.amazonaws.com/AWSServiceRoleForKafkaConnect*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": "iam:CreateServiceLinkedRole",
-                "Resource": "arn:aws:iam::*:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery*",
-                "Condition": {
-                    "StringLike": {
-                        "iam:AWSServiceName": "delivery.logs.amazonaws.com"
-                    }
-                }
+          "Resource": "*"
@@ -59,0 +65 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
+          "Sid": "MSKClusterAccess",
@@ -62,2 +68,3 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                    "s3:PutBucketPolicy",
-                    "s3:GetBucketPolicy"
+            "kafka:DescribeCluster",
+            "kafka:DescribeClusterV2",
+            "kafka:GetBootstrapBrokers"
@@ -65,6 +72 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                "Resource": "ARN of the Amazon S3 bucket to which you want MSK Connect to deliver logs"
-            },
-            {
-                "Effect": "Allow",
-                "Action": "iam:PassRole",
-                "Resource": "ARN of the service execution role"
+          "Resource": "arn:aws:kafkaconnect:us-east-1:123456789012:cluster/myCluster/"
@@ -72,0 +75 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
+          "Sid": "MSKLogGroupAccess",
@@ -74,2 +77,10 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                "Action": "s3:GetObject",
-                "Resource": "ARN of the Amazon S3 object that corresponds to the custom plugin that you want to use for creating connectors"
+          "Action": [
+            "logs:CreateLogGroup",
+            "logs:CreateLogStream",
+            "logs:PutLogEvents",
+            "logs:DescribeLogStreams",
+            "logs:DescribeLogGroups"
+          ],
+          "Resource": [
+            "arn:aws:logs:us-east-1:123456789012:log-group:/aws/msk-connect/*"
+          ]
@@ -77,0 +89 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
+          "Sid": "S3PluginAccess",
@@ -79,2 +91,9 @@ To give a non-admin user full access to all MSK Connect functionality, attach a
-                "Action": "firehose:TagDeliveryStream",
-                "Resource": "ARN of the Firehose delivery stream to which you want MSK Connect to deliver logs"
+          "Action": [
+            "s3:GetObject",
+            "s3:ListBucket",
+            "s3:PutObject"
+          ],
+          "Resource": [
+            "arn:aws:s3:::amzn-s3-demo-bucket1-custom-plugins",
+            "arn:aws:s3:::amzn-s3-demo-bucket1-custom-plugins/*"
+          ]