AWS Security ChangesHomeSearch

AWS lambda low security documentation change

Service: lambda · 2025-05-10 · Security-related low

File: lambda/latest/dg/with-msk-configure.md

Summary

Added documentation about Lambda's bootstrap broker selection logic based on authentication methods

Security assessment

The new section explains security-sensitive authentication prioritization (mTLS > SASL/SCRAM > IAM > TLS > plaintext) and warns about intentional configuration requirements for weaker methods. This directly addresses secure communication practices and prevents accidental use of insecure protocols.

Diff

diff --git a/lambda/latest/dg/with-msk-configure.md b/lambda/latest/dg/with-msk-configure.md
index 01594697a..b31ae6cc7 100644
--- a//lambda/latest/dg/with-msk-configure.md
+++ b//lambda/latest/dg/with-msk-configure.md
@@ -157,0 +158,2 @@ Lambda needs permission to access your Amazon MSK cluster, retrieve records, and
+  * How Lambda chooses a bootstrap broker
+
@@ -253,0 +256,21 @@ For more information about IAM authentication in Amazon MSK, see [IAM access con
+### How Lambda chooses a bootstrap broker
+
+Lambda chooses a [ bootstrap broker](https://docs.aws.amazon.com/msk/latest/developerguide/msk-get-bootstrap-brokers.html) based on the authentication methods available on your cluster, and whether you provide a secret for authentication. If you provide a secret for mTLS or SASL/SCRAM, Lambda automatically chooses that auth method. If you don't provide a secret, Lambda selects the strongest auth method that's active on your cluster. The following is the order of priority in which Lambda selects a broker, from strongest to weakest auth:
+
+  * mTLS (secret provided for mTLS)
+
+  * SASL/SCRAM (secret provided for SASL/SCRAM)
+
+  * SASL IAM (no secret provided, and IAM auth active)
+
+  * Unauthenticated TLS (no secret provided, and IAM auth not active)
+
+  * Plaintext (no secret provided, and both IAM auth and unauthenticated TLS are not active)
+
+
+
+
+###### Note
+
+If Lambda can't connect to the most secure broker type, Lambda doesn't attempt to connect to a different (weaker) broker type. If you want Lambda to choose a weaker broker type, deactivate all stronger auth methods on your cluster.
+