AWS msk documentation change
Summary
Added examples for creating MSK Replicators using mTLS authentication and enhanced offset sync mode, including bidirectional replication configurations.
Security assessment
The changes add detailed configuration examples for mTLS authentication (mutual TLS), which is a security feature that provides certificate-based authentication and encrypted communication. This enhances documentation about securing data in transit but doesn't address any specific vulnerability.
Diff
diff --git a/msk/latest/developerguide/msk-replicator-external-api-examples.md b/msk/latest/developerguide/msk-replicator-external-api-examples.md index ee5e34e28..571ff7738 100644 --- a//msk/latest/developerguide/msk-replicator-external-api-examples.md +++ b//msk/latest/developerguide/msk-replicator-external-api-examples.md @@ -14,0 +15,2 @@ Use the following AWS CLI command to create a Replicator that replicates data fr +**Using SASL/SCRAM authentication:** + @@ -67,0 +70,54 @@ Use the following AWS CLI command to create a Replicator that replicates data fr +**Using mTLS authentication:** + + + aws kafka create-replicator \ + --replicator-name my-selfmanaged-to-msk-replicator \ + --description "Replicating from self-managed Kafka to MSK Express" \ + --service-execution-role-arn arn:aws:iam::123456789012:role/MSKReplicatorRole \ + --kafka-clusters '[ + { + "apacheKafkaCluster": { + "bootstrapBrokerString": "broker1:9095,broker2:9095,broker3:9095", + "apacheKafkaClusterId": "<self-managed-cluster-id>" + }, + "clientAuthentication": { + "MTLS": { + "secretArn": "arn:aws:secretsmanager:us-east-1:123456789012:secret:kafka-mtls-creds" + } + }, + "encryptionInTransit": { + "encryptionType": "TLS", + "rootCaCertificate": "arn:aws:secretsmanager:us-east-1:123456789012:secret:kafka-ca-cert" + }, + "vpcConfig": { + "subnetIds": ["subnet-aaa","subnet-bbb","subnet-ccc"], + "securityGroupIds": ["sg-xxxxxxxxxxxxxxxxx"] + } + }, + { + "amazonMskCluster": { + "mskClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/msk-express/xxx" + }, + "vpcConfig": { + "subnetIds": ["subnet-ddd","subnet-eee","subnet-fff"], + "securityGroupIds": ["sg-yyyyyyyyy"] + } + }]' \ + --replication-info-list '[{ + "sourceKafkaClusterId": "<self-managed-cluster-id>", + "targetKafkaClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/msk-express/xxx", + "targetCompressionType": "NONE", + "topicReplication": { + "topicsToReplicate": [".*"], + "topicNameConfiguration": {"type": "IDENTICAL"}, + "startingPosition": {"type": "EARLIEST"}, + "detectAndCopyNewTopics": true, + "copyTopicConfigurations": true, + "copyAccessControlListsForTopics": true + }, + "consumerGroupReplication": { + "consumerGroupsToReplicate": [".*"], + "detectAndCopyNewConsumerGroups": true, + "synchroniseConsumerGroupOffsets": true + }}]' + @@ -71,0 +128,2 @@ To set up bidirectional replication for rollback capability, both the forward an +**Using SASL/SCRAM authentication:** + @@ -162,0 +221,112 @@ Then create the reverse Replicator (MSK Express to self-managed Kafka) also with + } + }]' \ + --replication-info-list '[{ + "sourceKafkaClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/msk-express/xxx", + "targetKafkaClusterId": "<self-managed-cluster-id>", + "targetCompressionType": "NONE", + "topicReplication": { + "topicsToReplicate": [".*"], + "topicNameConfiguration": {"type": "IDENTICAL"}, + "startingPosition": {"type": "LATEST"}, + "detectAndCopyNewTopics": true, + "copyTopicConfigurations": true, + "copyAccessControlListsForTopics": true + }, + "consumerGroupReplication": { + "consumerGroupsToReplicate": [".*"], + "detectAndCopyNewConsumerGroups": true, + "synchroniseConsumerGroupOffsets": true, + "consumerGroupOffsetSyncMode": "ENHANCED" + }}]' + +**Using mTLS authentication:** + +Create the forward Replicator (self-managed Kafka to MSK Express) with `ENHANCED` offset sync mode: + + + aws kafka create-replicator \ + --replicator-name my-selfmanaged-to-msk-replicator \ + --description "Replicating from self-managed Kafka to MSK Express" \ + --service-execution-role-arn arn:aws:iam::123456789012:role/MSKReplicatorRole \ + --kafka-clusters '[ + { + "apacheKafkaCluster": { + "bootstrapBrokerString": "broker1:9095,broker2:9095,broker3:9095", + "apacheKafkaClusterId": "<self-managed-cluster-id>" + }, + "clientAuthentication": { + "MTLS": { + "secretArn": "arn:aws:secretsmanager:us-east-1:123456789012:secret:kafka-mtls-creds" + } + }, + "encryptionInTransit": { + "encryptionType": "TLS", + "rootCaCertificate": "arn:aws:secretsmanager:us-east-1:123456789012:secret:kafka-ca-cert" + }, + "vpcConfig": { + "subnetIds": ["subnet-aaa","subnet-bbb","subnet-ccc"], + "securityGroupIds": ["sg-xxxxxxxxxxxxxxxxx"] + } + }, + { + "amazonMskCluster": { + "mskClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/msk-express/xxx" + }, + "vpcConfig": { + "subnetIds": ["subnet-ddd","subnet-eee","subnet-fff"], + "securityGroupIds": ["sg-yyyyyyyyy"] + } + }]' \ + --replication-info-list '[{ + "sourceKafkaClusterId": "<self-managed-cluster-id>", + "targetKafkaClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/msk-express/xxx", + "targetCompressionType": "NONE", + "topicReplication": { + "topicsToReplicate": [".*"], + "topicNameConfiguration": {"type": "IDENTICAL"}, + "startingPosition": {"type": "EARLIEST"}, + "detectAndCopyNewTopics": true, + "copyTopicConfigurations": true, + "copyAccessControlListsForTopics": true + }, + "consumerGroupReplication": { + "consumerGroupsToReplicate": [".*"], + "detectAndCopyNewConsumerGroups": true, + "synchroniseConsumerGroupOffsets": true, + "consumerGroupOffsetSyncMode": "ENHANCED" + }}]' + +Then create the reverse Replicator (MSK Express to self-managed Kafka) also with `ENHANCED` offset sync mode: + + + aws kafka create-replicator \ + --replicator-name my-msk-to-selfmanaged-replicator \ + --description "Reverse replication for rollback" \ + --service-execution-role-arn arn:aws:iam::123456789012:role/MSKReplicatorRole \ + --kafka-clusters '[ + { + "amazonMskCluster": { + "mskClusterArn": "arn:aws:kafka:us-east-1:123456789012:cluster/msk-express/xxx" + }, + "vpcConfig": { + "subnetIds": ["subnet-ddd","subnet-eee","subnet-fff"], + "securityGroupIds": ["sg-yyyyyyyyy"] + } + }, + { + "apacheKafkaCluster": { + "bootstrapBrokerString": "broker1:9095,broker2:9095,broker3:9095", + "apacheKafkaClusterId": "<self-managed-cluster-id>" + }, + "clientAuthentication": { + "MTLS": { + "secretArn": "arn:aws:secretsmanager:us-east-1:123456789012:secret:kafka-mtls-creds" + } + }, + "encryptionInTransit": { + "encryptionType": "TLS", + "rootCaCertificate": "arn:aws:secretsmanager:us-east-1:123456789012:secret:kafka-ca-cert" + }, + "vpcConfig": { + "subnetIds": ["subnet-aaa","subnet-bbb","subnet-ccc"], + "securityGroupIds": ["sg-xxxxxxxxxxxxxxxxx"]