AWS Security ChangesHomeSearch

AWS msk documentation change

Service: msk · 2025-04-03 · Documentation medium

File: msk/latest/developerguide/security_iam_service-with-iam-tags.md

Summary

Added detailed IAM policy example for tag-based access control and clarified topic/consumer group tagging requirements

Security assessment

Enhances documentation of security controls by demonstrating tag-based authorization policies, but doesn't address a specific vulnerability. Improves security guidance without evidence of fixing existing issues.

Diff

diff --git a/msk/latest/developerguide/security_iam_service-with-iam-tags.md b/msk/latest/developerguide/security_iam_service-with-iam-tags.md
index 23fec78ab..c462fcaeb 100644
--- a//msk/latest/developerguide/security_iam_service-with-iam-tags.md
+++ b//msk/latest/developerguide/security_iam_service-with-iam-tags.md
@@ -7 +7 @@
-You can attach tags to Amazon MSK clusters. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `kafka:ResourceTag/`key-name``, `aws:RequestTag/`key-name``, or `aws:TagKeys` condition keys. For more information about tagging Amazon MSK resources, see [Tag an Amazon MSK cluster](./msk-tagging.html).
+You can attach tags to Amazon MSK clusters. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `kafka:ResourceTag/`key-name``, `aws:RequestTag/`key-name``, or `aws:TagKeys` condition keys. For information about tagging Amazon MSK resources, see [Tag an Amazon MSK cluster](./msk-tagging.html).
@@ -9 +9,40 @@ You can attach tags to Amazon MSK clusters. To control access based on tags, you
-To view an example identity-based policy for limiting access to a cluster based on the tags on that cluster, see [Accessing Amazon MSK clusters based on tags](./security_iam_id-based-policy-examples-view-widget-tags.html).
+You can only control cluster access with the help of tags. To tag topics and consumer groups, you need to add a separate statement in your policies without tags.
+
+To view example of an identity-based policy for limiting access to a cluster based on the tags on that cluster, see [Accessing Amazon MSK clusters based on tags](./security_iam_id-based-policy-examples-view-widget-tags.html).
+
+You can use conditions in your identity-based policy to control access to Amazon MSK resources based on tags. The following example shows a policy that allows a user to describe the cluster, get its bootstrap brokers, list its broker nodes, update it, and delete it. However, this policy grants permission only if the cluster tag `Owner` has the value of that user's `username`. The second statement in the following policy allows access to the topics on the cluster. The first statement in this policy doesn't authorize any topic access.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AccessClusterIfOwner",
+          "Effect": "Allow",
+          "Action": [
+            "kafka:Describe*",
+            "kafka:Get*",
+            "kafka:List*",
+            "kafka:Update*",
+            "kafka:Delete*"
+          ],
+          "Resource": "arn:aws:kafka:us-east-1:123456789012:cluster/*",
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceTag/Owner": "${aws:username}"
+            }
+          }
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "kafka-cluster:*Topic*",
+            "kafka-cluster:WriteData",
+            "kafka-cluster:ReadData"
+          ],
+          "Resource": [
+            "arn:aws:kafka:us-east-1:123456789012:topic/*"
+          ]
+        }
+      ]
+    }