AWS msk documentation change
Summary
Updated documentation about IAM access control support for WriteTxnMarkers API, clarifying support exists for Kafka 3.8+ while earlier versions require SCRAM/mTLS authentication
Security assessment
The change provides updated guidance on authentication methods (IAM vs SCRAM/mTLS) for transaction termination but doesn't indicate any security vulnerability being fixed. It enhances documentation about security features by clarifying authentication requirements.
Diff
diff --git a/msk/latest/developerguide/kafka-actions.md b/msk/latest/developerguide/kafka-actions.md index 0476cacd4..b3d0f0e9f 100644 --- a//msk/latest/developerguide/kafka-actions.md +++ b//msk/latest/developerguide/kafka-actions.md @@ -9 +9,3 @@ Authorization policy actionsAuthorization policy resources -Currently, IAM access control for Amazon MSK doesn't support internal cluster actions for Kafka. This includes the WriteTxnMarkers API, which Kafka uses to terminate transactions. To terminate transactions, we recommend that you use SCRAM or mTLS authentication with appropriate ACLs instead of IAM authentication. +###### Note + +For clusters running Apache Kafka version 3.8 or later, IAM access control supports the WriteTxnMarkers API for terminating transactions. For clusters running Kafka versions earlier than 3.8, IAM access control doesn't support internal cluster actions including WriteTxnMarkers. For these earlier versions, to terminate transactions, use SCRAM or mTLS authentication with appropriate ACLs instead of IAM authentication.