AWS msk documentation change
Summary
Added support for mutual TLS (mTLS) authentication alongside SASL/SCRAM for source clusters in MSK Replicator migration documentation
Security assessment
The change introduces mTLS as a new authentication option, which enhances security by enabling certificate-based authentication. However, there's no evidence this addresses a specific vulnerability; it's a feature expansion providing stronger authentication alternatives.
Diff
diff --git a/msk/latest/developerguide/msk-replicator-migrate-external.md b/msk/latest/developerguide/msk-replicator-migrate-external.md index e349a09d9..7e44c23e1 100644 --- a//msk/latest/developerguide/msk-replicator-migrate-external.md +++ b//msk/latest/developerguide/msk-replicator-migrate-external.md @@ -9 +9 @@ -You can use MSK Replicator to migrate Apache Kafka workloads from self-managed environments to Amazon MSK Provisioned clusters with Express brokers. MSK Replicator supports data migration from Kafka deployments (Kafka version 2.8.1 or later) that have SASL/SCRAM authentication enabled. +You can use MSK Replicator to migrate Apache Kafka workloads from self-managed environments to Amazon MSK Provisioned clusters with Express brokers. MSK Replicator supports data migration from Kafka deployments (Kafka version 2.8.1 or later) that have SASL/SCRAM or mutual TLS (mTLS) authentication enabled. @@ -13 +13 @@ You can use MSK Replicator to migrate Apache Kafka workloads from self-managed e -SASL/SCRAM authentication is required only for MSK Replicator to connect to your self-managed Kafka cluster. Your client applications can continue using their existing authentication mechanisms. +SASL/SCRAM or mTLS authentication is required only for MSK Replicator to connect to your self-managed Kafka cluster. Your client applications can continue using their existing authentication mechanisms. @@ -21 +21 @@ Before you begin, ensure you have the following: - 2. SASL/SCRAM authentication enabled on source cluster + 2. SASL/SCRAM or mTLS authentication enabled on source cluster @@ -40 +40 @@ Create an MSK Provisioned cluster with Express brokers with IAM authentication e -Attach the `AWSMSKReplicatorExecutionRole` managed policy and configure the trust policy for `kafka.amazonaws.com`. Add inline permissions for AWS Secrets Manager (and AWS KMS if your secrets are CMK-encrypted) per [Additional SER permissions for SASL/SCRAM and customer managed keys](./msk-replicator-ser-additional-perms.html). See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html). +Attach the `AWSMSKReplicatorExecutionRole` managed policy and configure the trust policy for `kafka.amazonaws.com`. Add inline permissions for AWS Secrets Manager (and AWS KMS if your secrets are CMK-encrypted) per [Additional SER permissions for SASL/SCRAM, mTLS, and customer managed keys](./msk-replicator-ser-additional-perms.html). See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html). @@ -42 +42 @@ Attach the `AWSMSKReplicatorExecutionRole` managed policy and configure the trus -###### Step 3: Configure SASL/SCRAM and SSL on self-managed cluster +###### Step 3: Configure SASL/SCRAM or mTLS, and SSL on self-managed cluster @@ -44 +44 @@ Attach the `AWSMSKReplicatorExecutionRole` managed policy and configure the trus -Create dedicated SCRAM user with required ACL permissions. Configure SSL certificates. See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html). +Configure authentication on your self-managed cluster. For SASL/SCRAM, create a dedicated SCRAM user with the required ACL permissions. For mTLS, configure an SSL listener with client certificate authentication. Configure SSL certificates. See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html). @@ -48 +48 @@ Create dedicated SCRAM user with required ACL permissions. Configure SSL certifi -Create secret with `username`, `password`, and `certificate` key-value pairs. See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html). +Create a secret with the appropriate key-value pairs for your authentication type. For SASL/SCRAM, include `username`, `password`, and `certificate` fields. For mTLS, include `certificate` and `privateKey` fields (and optionally `privateKeyPassword` for encrypted private keys). See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html).