AWS serverless-application-model documentation change
Summary
Added documentation for Schema Registry configuration requirements, IAM role permissions examples, and new configuration examples for AWS Glue/Confluent Schema Registry integration
Security assessment
The changes add security-related IAM policy requirements for accessing secrets (BASIC_AUTH), KMS keys, and Glue Schema Registry. This documents secure configuration practices but does not indicate a specific vulnerability being fixed.
Diff
diff --git a/serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md b/serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md index 260c06936..555bdc6f5 100644 --- a//serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md +++ b//serverless-application-model/latest/developerguide/sam-property-function-selfmanagedkafka.md @@ -9 +9 @@ SyntaxPropertiesExamples -The object describing a `SelfManagedKafka` event source type. For more information, see [Using AWS Lambda with with self-managed Apache Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html) in the _AWS Lambda Developer Guide_. +The object describing a `SelfManagedKafka` event source type. For more information, see [Using AWS Lambda with self-managed Apache Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html) in the _AWS Lambda Developer Guide_. @@ -12,0 +13,2 @@ AWS Serverless Application Model (AWS SAM) generates an [AWS::Lambda::EventSourc +To use Schema Registry, you need to define specific IAM role permissions for your function. See [Complete setup with IAM roles](./sam-property-function-msk.html#sam-property-function-msk-example-complete) for an example of the required configuration. + @@ -27,0 +30 @@ To declare this entity in your AWS SAM template, use the following syntax. + SchemaRegistryConfig: [SchemaRegistryConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-eventsourcemapping-schemaregistryconfig.html) @@ -131,0 +135,15 @@ _AWS CloudFormation compatibility_ : This property is passed directly to the `[P +`SchemaRegistryConfig` + + +Configuration for using a schema registry with the self-managed Kafka event source. + +###### Note + +This feature requires `ProvisionedPollerConfig` to be configured. + +_Type_ : SchemaRegistryConfig + +_Required_ : No + +_AWS CloudFormation compatibility:_ This property is passed directly to the `[SelfManagedKafkaEventSourceConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-eventsourcemapping-selfmanagedkafkaeventsourceconfig)` property of an `AWS::Lambda::EventSourceMapping` resource. + @@ -143 +161 @@ _Required_ : Yes -_AWS CloudFormation compatibility_ : This property is passed directly to the `[ SourceAccessConfigurations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html#cfn-lambda-eventsourcemapping-sourceaccessconfigurations)` property of an `AWS::Lambda::EventSourceMapping` resource. +_AWS CloudFormation compatibility:_ This property is part of the [SelfManagedKafkaEventSourceConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-lambda-eventsourcemapping-selfmanagedkafkaeventsourceconfig) property of an `AWS::Lambda::EventSourceMapping` resource. @@ -190,0 +209,91 @@ _AWS CloudFormation compatibility_ : This property is passed directly to the `[T +### Complete setup with IAM roles + +The following example shows a complete setup including the required IAM role configuration for using Schema Registry: + + + Parameters: + PreCreatedSubnetOne: + Type: String + PreCreatedSubnetTwo: + Type: String + + Resources: + MyLambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Action: [sts:AssumeRole] + Effect: Allow + Principal: + Service: [lambda.amazonaws.com] + Policies: + - PolicyName: KafkaAuthPolicy + PolicyDocument: + Statement: + - Action: [secretsmanager:GetSecretValue, kms:Decrypt] + Effect: "Allow" + Resource: ['arn:aws:secretsmanager:us-west-2:123456789012:secret:kafkaSecret-******', + 'arn:aws:kms:us-west-2:123456789012:key/keyId'] + - PolicyName: ENIPolicy + PolicyDocument: + Statement: + - Action: [ec2:CreateNetworkInterface, + ec2:DescribeNetworkInterfaces, ec2:DescribeVpcs, ec2:DeleteNetworkInterface, + ec2:DescribeSubnets, ec2:DescribeSecurityGroups] + Effect: Allow + Resource: '*' + - PolicyName: SchemaRegistryPolicy + PolicyDocument: + Statement: + - Action: [glue:GetRegistry] + Effect: Allow + Resource: 'arn:aws:glue:{region}:{account-id}:registry/{registry-name}' + - PolicyName: SchemaVersionsPolicy + PolicyDocument: + Statement: + - Action: [glue:GetSchemaVersions] + Effect: Allow + Resource: '*' + ManagedPolicyArns: + - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole + Tags: + - {Value: SAM, Key: lambda:createdBy} + + MyKafkaProcessor: + Type: AWS::Serverless::Function + Properties: + Runtime: nodejs18.x + Handler: index.handler + CodeUri: ${codeuri} + Role: + Fn::GetAtt: [MyLambdaExecutionRole, Arn] + Events: + SelfManagedKafkaEvent: + Type: SelfManagedKafka + Properties: + KafkaBootstrapServers: + - my-kafka-broker-1:9092 + - my-kafka-broker-2:9092 + Topics: + - SchemaRegistryTestTopic + StartingPosition: LATEST + SourceAccessConfigurations: + - Type: VPC_SUBNET + URI: subnet:subnet-12345678 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-12345678 + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + ProvisionedPollerConfig: + MinimumPollers: 1 + SchemaRegistryConfig: + AccessConfigs: + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c + SchemaValidationConfigs: + - Attribute: KEY + EventRecordFormat: JSON + SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:us-west-2:123456789012:registry/myregistry + @@ -219,0 +329,61 @@ The following is an example of a `SelfManagedKafka` event source type. +### Self-managed Kafka Event Source with AWS Glue Schema Registry + +The following is an example of a `SelfManagedKafka` event source type configured with AWS Glue Schema Registry. + + + Events: + SelfManagedKafkaEvent: + Type: SelfManagedKafka + Properties: + KafkaBootstrapServers: + - abc.xyz.com:9092 + Topics: + - SchemaRegistryTestTopic + StartingPosition: LATEST + ProvisionedPollerConfig: + MinimumPollers: 1 + SchemaRegistryConfig: + SchemaRegistryURI: !Sub arn:${AWS::Partition}:glue:us-west-2:123456789012:registry/myregistry + EventRecordFormat: JSON + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + SourceAccessConfigurations: + - Type: VPC_SUBNET + URI: subnet:subnet-12345678 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-12345678 + +### Self-managed Kafka Event Source with Confluent Schema Registry + +The following is an example of a `SelfManagedKafka` event source type configured with Confluent Schema Registry. + + + Events: + SelfManagedKafkaEvent: + Type: SelfManagedKafka + Properties: + KafkaBootstrapServers: + - abc.xyz.com:9092 + Topics: + - SchemaRegistryTestTopic + StartingPosition: LATEST + ProvisionedPollerConfig: + MinimumPollers: 1 + SchemaRegistryConfig: + SchemaRegistryURI: https://my-schema-registry.confluent.cloud + AccessConfigs: + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-secret + EventRecordFormat: JSON + SchemaValidationConfigs: + - Attribute: KEY + - Attribute: VALUE + SourceAccessConfigurations: + - Type: VPC_SUBNET + URI: subnet:subnet-12345678 + - Type: VPC_SECURITY_GROUP + URI: security_group:sg-12345678 + - Type: BASIC_AUTH + URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:kafka-secret +