AWS Security ChangesHomeSearch

AWS lambda documentation change

Service: lambda · 2025-11-22 · Documentation low

File: lambda/latest/dg/with-msk-permissions.md

Summary

Restructured permissions documentation for Amazon MSK event source mappings, added console auto-permission generation guidance, updated required permissions with cluster/VPC details, and clarified IAM authentication requirements

Security assessment

The changes improve documentation about required IAM permissions for secure MSK access, including cross-account requirements and IAM authentication details. While these relate to security best practices, there is no evidence of addressing a specific vulnerability. The updates help prevent misconfigurations but don't reference a security incident.

Diff

diff --git a/lambda/latest/dg/with-msk-permissions.md b/lambda/latest/dg/with-msk-permissions.md
index 4f7121f20..2c69eb33d 100644
--- a//lambda/latest/dg/with-msk-permissions.md
+++ b//lambda/latest/dg/with-msk-permissions.md
@@ -5 +5 @@
-Basic permissionsCluster access permissionsVPC permissionsOptional permissions
+Required permissionsOptional permissions
@@ -7 +7 @@ Basic permissionsCluster access permissionsVPC permissionsOptional permissions
-# Configuring Lambda execution role permissions
+# Configuring Lambda permissions for Amazon MSK event source mappings
@@ -11 +11,5 @@ To access the Amazon MSK cluster, your function and event source mapping need pe
-To cover all required permissions, you can attach the [AWSLambdaMSKExecutionRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaMSKExecutionRole.html) managed policy to your execution role. Alternatively, you can add each permission manually.
+The [AWSLambdaMSKExecutionRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaMSKExecutionRole.html) managed policy contains the minimum required permissions for Amazon MSK Lambda event source mappings. To simplify the permissions process, you can:
+
+  * Attach the [AWSLambdaMSKExecutionRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaMSKExecutionRole.html) managed policy to your execution role.
+
+  * Let the Lambda console generate the permissions for you. When you [create an Amazon MSK event source mapping in the console](./msk-esm-create.html#msk-console), Lambda evaluates your execution role and alerts you if any permissions are missing. Choose **Generate permissions** to automatically update your execution role. This doesn't work if you manually created or modified your execution role policies, or if the policies are attached to multiple roles. Note that additional permissions may still be required in your execution role when using advanced features such as [On-Failure Destination](./kafka-on-failure.html) or [AWS Glue Schema Registry](./services-consume-kafka-events.html).
@@ -13 +16,0 @@ To cover all required permissions, you can attach the [AWSLambdaMSKExecutionRole
-###### Topics
@@ -15 +17,0 @@ To cover all required permissions, you can attach the [AWSLambdaMSKExecutionRole
-  * Basic permissions
@@ -17 +18,0 @@ To cover all required permissions, you can attach the [AWSLambdaMSKExecutionRole
-  * Cluster access permissions
@@ -19 +20,3 @@ To cover all required permissions, you can attach the [AWSLambdaMSKExecutionRole
-  * VPC permissions
+###### Topics
+
+  * Required permissions
@@ -26 +29 @@ To cover all required permissions, you can attach the [AWSLambdaMSKExecutionRole
-## Basic permissions
+## Required permissions
@@ -28 +31,5 @@ To cover all required permissions, you can attach the [AWSLambdaMSKExecutionRole
-Your Lambda function execution role must have the following required permissions to create and store logs in CloudWatch Logs.
+Your Lambda function execution role must have the following required permissions for Amazon MSK event source mappings. These permissions are included in the [AWSLambdaMSKExecutionRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaMSKExecutionRole.html) managed policy.
+
+### CloudWatch Logs permissions
+
+The following permissions allow Lambda to create and store logs in Amazon CloudWatch Logs.
@@ -39 +46 @@ Your Lambda function execution role must have the following required permissions
-## Cluster access permissions
+### MSK cluster permissions
@@ -41 +48 @@ Your Lambda function execution role must have the following required permissions
-For Lambda to access your Amazon MSK cluster on your behalf, your Lambda function must have the following permissions in its execution role:
+The following permissions allow Lambda to access your Amazon MSK cluster on your behalf:
@@ -49,4 +55,0 @@ For Lambda to access your Amazon MSK cluster on your behalf, your Lambda functio
-  * [kafka:DescribeVpcConnection](https://docs.aws.amazon.com/msk/1.0/apireference/vpc-connection-arn.html): Only required for cross-account event source mappings.
-
-  * [kafka:ListVpcConnections](https://docs.aws.amazon.com/msk/1.0/apireference/vpc-connections.html): Not required in execution role, but required for an IAM principal that is creating a cross-account event source mapping.
-
@@ -56 +59 @@ For Lambda to access your Amazon MSK cluster on your behalf, your Lambda functio
-You only need to add one of either [ kafka:DescribeCluster](https://docs.aws.amazon.com/msk/1.0/apireference/clusters-clusterarn.html) or [ kafka:DescribeClusterV2](https://docs.aws.amazon.com/MSK/2.0/APIReference/v2-clusters-clusterarn.html). For provisioned Amazon MSK clusters, either permission works. For serverless Amazon MSK clusters, you must use [kafka:DescribeClusterV2](https://docs.aws.amazon.com/MSK/2.0/APIReference/v2-clusters-clusterarn.html).
+We recommend using [kafka:DescribeClusterV2](https://docs.aws.amazon.com/MSK/2.0/APIReference/v2-clusters-clusterarn.html) instead of [kafka:DescribeCluster](https://docs.aws.amazon.com/msk/1.0/apireference/clusters-clusterarn.html). The v2 permission works with both provisioned and serverless Amazon MSK clusters. You only need one of these permissions in your policy.
@@ -58 +61 @@ You only need to add one of either [ kafka:DescribeCluster](https://docs.aws.ama
-###### Note
+### VPC permissions
@@ -60,5 +63 @@ You only need to add one of either [ kafka:DescribeCluster](https://docs.aws.ama
-Lambda eventually plans to remove the [ kafka:DescribeCluster](https://docs.aws.amazon.com/msk/1.0/apireference/clusters-clusterarn.html) permission from the [AWSLambdaMSKExecutionRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaMSKExecutionRole.html) managed policy. If you use this policy, migrate any applications using [kafka:DescribeCluster](https://docs.aws.amazon.com/msk/1.0/apireference/clusters-clusterarn.html) to use [kafka:DescribeClusterV2](https://docs.aws.amazon.com/MSK/2.0/APIReference/v2-clusters-clusterarn.html) instead.
-
-## VPC permissions
-
-If your Amazon MSK cluster is in a private subnet of your VPC, your Lambda function must have additional permissions to access your Amazon VPC resources. These include your VPC, subnets, security groups, and network interfaces. Your function's execution role must have the following permissions:
+The following permissions allow Lambda to create and manage network interfaces when connecting to your Amazon MSK cluster:
@@ -84,0 +84,2 @@ Your Lambda function might also need permissions to:
+  * Access cross-account Amazon MSK clusters. For cross-account event source mappings, you need [kafka:DescribeVpcConnection](https://docs.aws.amazon.com/msk/1.0/apireference/vpc-connection-arn.html) in the execution role. An IAM principal creating a cross-account event source mapping needs [kafka:ListVpcConnections](https://docs.aws.amazon.com/msk/1.0/apireference/vpc-connections.html).
+
@@ -89 +90 @@ Your Lambda function might also need permissions to:
-  * Access your AWS KMS customer-managed key, if you want to [encrypt your filter criteria](./invocation-eventfiltering.html). This helps keep your message filtering rules secret.
+  * Access your AWS KMS customer managed key, if your AWS Secrets Manager secret is encrypted with an AWS KMS customer managed key.
@@ -98,0 +100,2 @@ Your Lambda function might also need permissions to:
+  * Access Kafka cluster consumer groups and poll messages from the topic, if you're using IAM authentication for the event source mapping.
+
@@ -113,0 +117,10 @@ These correspond to the following required permissions:
+  * [kafka-cluster:Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html) \- Grants permission to connect and authenticate to the cluster
+
+  * [kafka-cluster:AlterGroup](https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html) \- Grants permission to join groups on a cluster, equivalent to Apache Kafka's READ GROUP ACL
+
+  * [kafka-cluster:DescribeGroup](https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html) \- Grants permission to describe groups on a cluster, equivalent to Apache Kafka's DESCRIBE GROUP ACL
+
+  * [kafka-cluster:DescribeTopic](https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html) \- Grants permission to describe topics on a cluster, equivalent to Apache Kafka's DESCRIBE TOPIC ACL
+
+  * [kafka-cluster:ReadData](https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html) \- Grants permission to read data from topics on a cluster, equivalent to Apache Kafka's READ TOPIC ACL
+