AWS Security ChangesHomeSearch

AWS serverless-application-model documentation change

Service: serverless-application-model · 2025-06-22 · Documentation medium

File: serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md

Summary

Added documentation for Schema Registry configuration requirements, IAM role permissions examples, and new configuration examples for AWS Glue/Confluent Schema Registry integration

Security assessment

The changes add security-related IAM policy requirements for accessing secrets (BASIC_AUTH), KMS keys, and Glue Schema Registry. This documents secure configuration practices but does not indicate a specific vulnerability being fixed.

Diff

diff --git a/serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md b/serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md
index 260c06936..555bdc6f5 100644
--- a//serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md
+++ b//serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md
@@ -9 +9 @@ SyntaxPropertiesExamples
-The object describing a `SelfManagedKafka` event source type. For more information, see [Using AWS Lambda with with self-managed Apache Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html) in the _AWS Lambda Developer Guide_.
+The object describing a `SelfManagedKafka` event source type. For more information, see [Using AWS Lambda with self-managed Apache Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html) in the _AWS Lambda Developer Guide_.
@@ -12,0 +13,2 @@ AWS Serverless Application Model (AWS SAM) generates an [AWS::Lambda::EventSourc
+To use Schema Registry, you need to define specific IAM role permissions for your function. See [Complete setup with IAM roles](./sam-property-function-msk.html#sam-property-function-msk-example-complete) for an example of the required configuration.
+
@@ -27,0 +30 @@ To declare this entity in your AWS SAM template, use the following syntax.
+      SchemaRegistryConfig: [SchemaRegistryConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-eventsourcemapping-schemaregistryconfig.html)
@@ -131,0 +135,15 @@ _AWS CloudFormation compatibility_ : This property is passed directly to the `[P
+`SchemaRegistryConfig`
+    
+
+Configuration for using a schema registry with the self-managed Kafka event source.
+
+###### Note
+
+This feature requires `ProvisionedPollerConfig` to be configured.
+
+_Type_ : SchemaRegistryConfig
+
+_Required_ : No
+
+_AWS CloudFormation compatibility:_ This property is passed directly to the `[SelfManagedKafkaEventSourceConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-eventsourcemapping-selfmanagedkafkaeventsourceconfig)` property of an `AWS::Lambda::EventSourceMapping` resource.
+
@@ -143 +161 @@ _Required_ : Yes
-_AWS CloudFormation compatibility_ : This property is passed directly to the `[ SourceAccessConfigurations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html#cfn-lambda-eventsourcemapping-sourceaccessconfigurations)` property of an `AWS::Lambda::EventSourceMapping` resource.
+_AWS CloudFormation compatibility:_ This property is part of the [SelfManagedKafkaEventSourceConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-lambda-eventsourcemapping-selfmanagedkafkaeventsourceconfig) property of an `AWS::Lambda::EventSourceMapping` resource.
@@ -190,0 +209,91 @@ _AWS CloudFormation compatibility_ : This property is passed directly to the `[T
+### Complete setup with IAM roles
+
+The following example shows a complete setup including the required IAM role configuration for using Schema Registry:
+    
+    
+    Parameters:
+      PreCreatedSubnetOne:
+        Type: String
+      PreCreatedSubnetTwo:
+        Type: String
+     
+    Resources:
+      MyLambdaExecutionRole:
+        Type: AWS::IAM::Role
+        Properties:
+          AssumeRolePolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+            - Action: [sts:AssumeRole]
+              Effect: Allow
+              Principal:
+                Service: [lambda.amazonaws.com]
+          Policies:
+          - PolicyName: KafkaAuthPolicy
+            PolicyDocument:
+              Statement:
+              - Action: [secretsmanager:GetSecretValue, kms:Decrypt]
+                Effect: "Allow"            
+                Resource: ['arn:aws:secretsmanager:us-west-2:123456789012:secret:kafkaSecret-******',
+                            'arn:aws:kms:us-west-2:123456789012:key/keyId']
+          - PolicyName: ENIPolicy
+            PolicyDocument:
+              Statement:
+              - Action: [ec2:CreateNetworkInterface,
+                  ec2:DescribeNetworkInterfaces, ec2:DescribeVpcs, ec2:DeleteNetworkInterface,
+                  ec2:DescribeSubnets, ec2:DescribeSecurityGroups]
+                Effect: Allow
+                Resource: '*'      
+          - PolicyName: SchemaRegistryPolicy
+            PolicyDocument:
+              Statement:
+              - Action: [glue:GetRegistry]
+                Effect: Allow
+                Resource: 'arn:aws:glue:{region}:{account-id}:registry/{registry-name}'
+          - PolicyName: SchemaVersionsPolicy
+            PolicyDocument:
+              Statement:
+              - Action: [glue:GetSchemaVersions]
+                Effect: Allow
+                Resource: '*'          
+          ManagedPolicyArns:
+          - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+          Tags:
+          - {Value: SAM, Key: lambda:createdBy}
+     
+      MyKafkaProcessor:
+        Type: AWS::Serverless::Function
+        Properties:
+          Runtime: nodejs18.x
+          Handler: index.handler
+          CodeUri: ${codeuri}
+          Role:
+            Fn::GetAtt: [MyLambdaExecutionRole, Arn]
+          Events:
+            SelfManagedKafkaEvent:
+              Type: SelfManagedKafka
+              Properties:
+                KafkaBootstrapServers:
+                  - my-kafka-broker-1:9092
+                  - my-kafka-broker-2:9092
+                Topics:
+                  - SchemaRegistryTestTopic
+                StartingPosition: LATEST
+                SourceAccessConfigurations:
+                  - Type: VPC_SUBNET
+                    URI: subnet:subnet-12345678
+                  - Type: VPC_SECURITY_GROUP
+                    URI: security_group:sg-12345678
+                  - Type: BASIC_AUTH
+                    URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c
+                ProvisionedPollerConfig:
+                  MinimumPollers: 1
+                SchemaRegistryConfig:
+                  AccessConfigs:
+                  - Type: BASIC_AUTH
+                    URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c
+                  SchemaValidationConfigs:
+                  - Attribute: KEY
+                  EventRecordFormat: JSON
+                  SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:us-west-2:123456789012:registry/myregistry
+
@@ -219,0 +329,61 @@ The following is an example of a `SelfManagedKafka` event source type.
+### Self-managed Kafka Event Source with AWS Glue Schema Registry
+
+The following is an example of a `SelfManagedKafka` event source type configured with AWS Glue Schema Registry.
+    
+    
+    Events:
+      SelfManagedKafkaEvent:
+        Type: SelfManagedKafka
+        Properties:
+          KafkaBootstrapServers:
+            - abc.xyz.com:9092
+          Topics:
+            - SchemaRegistryTestTopic
+          StartingPosition: LATEST
+          ProvisionedPollerConfig:
+            MinimumPollers: 1
+          SchemaRegistryConfig:
+            SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:us-west-2:123456789012:registry/myregistry
+            EventRecordFormat: JSON
+            SchemaValidationConfigs:
+              - Attribute: KEY
+              - Attribute: VALUE
+          SourceAccessConfigurations:
+            - Type: VPC_SUBNET
+              URI: subnet:subnet-12345678
+            - Type: VPC_SECURITY_GROUP
+              URI: security_group:sg-12345678
+
+### Self-managed Kafka Event Source with Confluent Schema Registry
+
+The following is an example of a `SelfManagedKafka` event source type configured with Confluent Schema Registry.
+    
+    
+    Events:
+      SelfManagedKafkaEvent:
+        Type: SelfManagedKafka
+        Properties:
+          KafkaBootstrapServers:
+            - abc.xyz.com:9092
+          Topics:
+            - SchemaRegistryTestTopic
+          StartingPosition: LATEST
+          ProvisionedPollerConfig:
+            MinimumPollers: 1
+          SchemaRegistryConfig:
+            SchemaRegistryURI: https://my-schema-registry.confluent.cloud
+            AccessConfigs:
+              - Type: BASIC_AUTH
+                URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-secret
+            EventRecordFormat: JSON
+            SchemaValidationConfigs:
+              - Attribute: KEY
+              - Attribute: VALUE
+          SourceAccessConfigurations:
+            - Type: VPC_SUBNET
+              URI: subnet:subnet-12345678
+            - Type: VPC_SECURITY_GROUP
+              URI: security_group:sg-12345678
+            - Type: BASIC_AUTH
+              URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:kafka-secret
+