AWS Security ChangesHomeSearch

AWS msk high security documentation change

Service: msk · 2025-06-19 · Security-related high

File: msk/latest/developerguide/kafka-actions.md

Summary

Added note that IAM authentication doesn't support Kafka's WriteTxnMarkers API, recommending SCRAM/mTLS with ACLs instead

Security assessment

Addresses authentication limitations in IAM for critical transaction termination API (WriteTxnMarkers), explicitly recommending more secure alternatives (SCRAM/mTLS). This directly impacts security controls for Kafka operations.

Diff

diff --git a/msk/latest/developerguide/kafka-actions.md b/msk/latest/developerguide/kafka-actions.md
index 0f71ce8d2..0476cacd4 100644
--- a//msk/latest/developerguide/kafka-actions.md
+++ b//msk/latest/developerguide/kafka-actions.md
@@ -8,0 +9,2 @@ Authorization policy actionsAuthorization policy resources
+Currently, IAM access control for Amazon MSK doesn't support internal cluster actions for Kafka. This includes the WriteTxnMarkers API, which Kafka uses to terminate transactions. To terminate transactions, we recommend that you use SCRAM or mTLS authentication with appropriate ACLs instead of IAM authentication.
+