AWS Security ChangesHomeSearch

AWS msk documentation change

Service: msk · 2026-05-22 · Documentation low

File: msk/latest/developerguide/msk-replicator-create-iam-perms.md

Summary

Restructured IAM policy documentation for MSK Replicator creation, separating base permissions from log delivery requirements and adding explicit resource placeholders.

Security assessment

The changes clarify IAM permission requirements but show no evidence of addressing a specific vulnerability. Updates include resource ARN placeholders (<accountID>, <region>) and explicit notes about EC2 actions requiring wildcard resources, improving security posture through least-privilege guidance without referencing any security incident.

Diff

diff --git a/msk/latest/developerguide/msk-replicator-create-iam-perms.md b/msk/latest/developerguide/msk-replicator-create-iam-perms.md
index 25673ee80..dda88fe00 100644
--- a//msk/latest/developerguide/msk-replicator-create-iam-perms.md
+++ b//msk/latest/developerguide/msk-replicator-create-iam-perms.md
@@ -7 +7 @@
-# IAM permissions required to create an MSK Replicator
+Base IAM policy
@@ -9 +9 @@
-Here is an example of the IAM policy required to create an MSK Replicator. The action `kafka:TagResource` is only needed if tags are provided when creating the MSK Replicator. Replicator IAM policies should be attached to the IAM role that corresponds to your client. For information about creating authorization policies, see [Create authorization policies](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#create-iam-access-control-policies).
+# IAM permissions required to create an MSK Replicator
@@ -11 +11 @@ Here is an example of the IAM policy required to create an MSK Replicator. The a
-JSON
+The IAM principal (user or role) that calls `CreateReplicator` needs the permissions described in this section. Attach this policy to the IAM identity that corresponds to your client. For general guidance on creating authorization policies, see [Create authorization policies](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#create-iam-access-control-policies).
@@ -12,0 +13 @@ JSON
+Start with the **base policy** below. If you also configure log delivery, append the snippet for each destination you use (see [Additional permissions for log delivery](./msk-replicator-create-iam-perms-logs.html)). For self-managed Apache Kafka migration scenarios, see additional service execution role guidance in [Migrate from non-MSK Apache Kafka clusters to Amazon MSK Express brokers](./msk-replicator-migrate-external.html).
@@ -14 +15 @@ JSON
-****
+## Base IAM policy
@@ -15,0 +17 @@ JSON
+Replace the placeholders with your account ID, AWS Region, service execution role name, and source and target cluster ARNs. The action `kafka:TagResource` is only needed if you provide tags during creation.
@@ -25 +27 @@ JSON
-          "Resource": "arn:aws:iam::123456789012:role/MSKReplicationRole",
+                "Resource": "arn:aws:iam::<accountID>:role/<serviceExecutionRoleName>",
@@ -36 +38 @@ JSON
-          "Resource": "arn:aws:iam::123456789012:role/aws-service-role/kafka.amazonaws.com/AWSServiceRoleForKafka*"
+                "Resource": "arn:aws:iam::<accountID>:role/aws-service-role/kafka.amazonaws.com/AWSServiceRoleForKafka*"
@@ -39 +41 @@ JSON
-          "Sid": "MSKReplicatorEC2Actions",
+                "Sid": "MSKReplicatorActions",
@@ -42,4 +44,7 @@ JSON
-            "ec2:DescribeSubnets",
-            "ec2:DescribeSecurityGroups",
-            "ec2:DescribeVpcs",
-            "ec2:CreateNetworkInterface"
+                    "kafka:CreateReplicator",
+                    "kafka:DescribeReplicator",
+                    "kafka:DeleteReplicator",
+                    "kafka:ListReplicators",
+                    "kafka:ListTagsForResource",
+                    "kafka:UpdateReplicationInfo",
+                    "kafka:TagResource"
@@ -48,4 +53 @@ JSON
-            "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0abcd1234ef56789",
-            "arn:aws:ec2:us-east-1:123456789012:security-group/sg-0123abcd4567ef89",
-            "arn:aws:ec2:us-east-1:123456789012:network-interface/eni-0a1b2c3d4e5f67890",
-            "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0a1b2c3d4e5f67890"
+                    "arn:aws:kafka:<region>:<accountID>:replicator/*"
@@ -55 +57 @@ JSON
-          "Sid": "MSKReplicatorActions",
+                "Sid": "MSKReplicatorListActions",
@@ -58,2 +60 @@ JSON
-            "kafka:CreateReplicator",
-            "kafka:TagResource"
+                    "kafka:ListReplicators"
@@ -62,2 +63 @@ JSON
-            "arn:aws:kafka:us-east-1:123456789012:cluster/myCluster/abcd1234-56ef-78gh-90ij-klmnopqrstuv",
-            "arn:aws:kafka:us-east-1:123456789012:replicator/myReplicator/wxyz9876-54vu-32ts-10rq-ponmlkjihgfe"
+                    "*"
@@ -65,11 +65 @@ JSON
-        }
-      ]
-    }
-    
-
-The following is an example IAM policy to describe a replicator.
-
-****
-    
-    
-    
+            },
@@ -77,2 +67,11 @@ The following is an example IAM policy to describe a replicator.
-        "Version":"2012-10-17",
-        "Statement": [
+                "Sid": "EC2Actions",
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:DescribeSubnets",
+                    "ec2:DescribeSecurityGroups",
+                    "ec2:DescribeVpcs"
+                ],
+                "Resource": [
+                    "*"
+                ]
+            },
@@ -80 +79 @@ The following is an example IAM policy to describe a replicator.
-                "Sid": "VisualEditor1",
+                "Sid": "MSKClusterActions",
@@ -83,2 +82,2 @@ The following is an example IAM policy to describe a replicator.
-                    "kafka:DescribeReplicator",
-                    "kafka:ListTagsForResource"
+                    "kafka:GetBootstrapBrokers",
+                    "kafka:DescribeClusterV2"
@@ -86 +85,4 @@ The following is an example IAM policy to describe a replicator.
-                "Resource": "*"
+                "Resource": [
+                    "<sourceClusterArn>",
+                    "<targetClusterArn>"
+                ]
@@ -94 +95 @@ The following is an example IAM policy to describe a replicator.
-When log delivery is enabled, your IAM role must have the additional permissions required to write to the configured log destination. For the required permissions, see [Enabling logging from AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-vended-logs-permissions.html).
+The `ec2:DescribeSubnets`, `ec2:DescribeSecurityGroups`, and `ec2:DescribeVpcs` actions do not support resource-level permissions, so you must specify `"Resource": "*"`. See the [Actions, resources, and condition keys for Amazon EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html) reference.
@@ -104 +105 @@ Encryption
-IAM permissions reference
+Log delivery permissions