AWS lambda low security documentation change
Summary
Added documentation about Lambda's bootstrap broker selection logic based on authentication methods
Security assessment
The new section explains security-sensitive authentication prioritization (mTLS > SASL/SCRAM > IAM > TLS > plaintext) and warns about intentional configuration requirements for weaker methods. This directly addresses secure communication practices and prevents accidental use of insecure protocols.
Diff
diff --git a/lambda/latest/dg/with-msk-configure.md b/lambda/latest/dg/with-msk-configure.md index 01594697a..b31ae6cc7 100644 --- a//lambda/latest/dg/with-msk-configure.md +++ b//lambda/latest/dg/with-msk-configure.md @@ -157,0 +158,2 @@ Lambda needs permission to access your Amazon MSK cluster, retrieve records, and + * How Lambda chooses a bootstrap broker + @@ -253,0 +256,21 @@ For more information about IAM authentication in Amazon MSK, see [IAM access con +### How Lambda chooses a bootstrap broker + +Lambda chooses a [ bootstrap broker](https://docs.aws.amazon.com/msk/latest/developerguide/msk-get-bootstrap-brokers.html) based on the authentication methods available on your cluster, and whether you provide a secret for authentication. If you provide a secret for mTLS or SASL/SCRAM, Lambda automatically chooses that auth method. If you don't provide a secret, Lambda selects the strongest auth method that's active on your cluster. The following is the order of priority in which Lambda selects a broker, from strongest to weakest auth: + + * mTLS (secret provided for mTLS) + + * SASL/SCRAM (secret provided for SASL/SCRAM) + + * SASL IAM (no secret provided, and IAM auth active) + + * Unauthenticated TLS (no secret provided, and IAM auth not active) + + * Plaintext (no secret provided, and both IAM auth and unauthenticated TLS are not active) + + + + +###### Note + +If Lambda can't connect to the most secure broker type, Lambda doesn't attempt to connect to a different (weaker) broker type. If you want Lambda to choose a weaker broker type, deactivate all stronger auth methods on your cluster. +