AWS Security ChangesHomeSearch

AWS msk documentation change

Service: msk · 2026-06-25 · Documentation low

File: msk/latest/developerguide/msk-replicator-migrate-external.md

Summary

Added support for mutual TLS (mTLS) authentication alongside SASL/SCRAM for source clusters in MSK Replicator migration documentation

Security assessment

The change introduces mTLS as a new authentication option, which enhances security by enabling certificate-based authentication. However, there's no evidence this addresses a specific vulnerability; it's a feature expansion providing stronger authentication alternatives.

Diff

diff --git a/msk/latest/developerguide/msk-replicator-migrate-external.md b/msk/latest/developerguide/msk-replicator-migrate-external.md
index e349a09d9..7e44c23e1 100644
--- a//msk/latest/developerguide/msk-replicator-migrate-external.md
+++ b//msk/latest/developerguide/msk-replicator-migrate-external.md
@@ -9 +9 @@
-You can use MSK Replicator to migrate Apache Kafka workloads from self-managed environments to Amazon MSK Provisioned clusters with Express brokers. MSK Replicator supports data migration from Kafka deployments (Kafka version 2.8.1 or later) that have SASL/SCRAM authentication enabled.
+You can use MSK Replicator to migrate Apache Kafka workloads from self-managed environments to Amazon MSK Provisioned clusters with Express brokers. MSK Replicator supports data migration from Kafka deployments (Kafka version 2.8.1 or later) that have SASL/SCRAM or mutual TLS (mTLS) authentication enabled.
@@ -13 +13 @@ You can use MSK Replicator to migrate Apache Kafka workloads from self-managed e
-SASL/SCRAM authentication is required only for MSK Replicator to connect to your self-managed Kafka cluster. Your client applications can continue using their existing authentication mechanisms.
+SASL/SCRAM or mTLS authentication is required only for MSK Replicator to connect to your self-managed Kafka cluster. Your client applications can continue using their existing authentication mechanisms.
@@ -21 +21 @@ Before you begin, ensure you have the following:
-  2. SASL/SCRAM authentication enabled on source cluster
+  2. SASL/SCRAM or mTLS authentication enabled on source cluster
@@ -40 +40 @@ Create an MSK Provisioned cluster with Express brokers with IAM authentication e
-Attach the `AWSMSKReplicatorExecutionRole` managed policy and configure the trust policy for `kafka.amazonaws.com`. Add inline permissions for AWS Secrets Manager (and AWS KMS if your secrets are CMK-encrypted) per [Additional SER permissions for SASL/SCRAM and customer managed keys](./msk-replicator-ser-additional-perms.html). See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html).
+Attach the `AWSMSKReplicatorExecutionRole` managed policy and configure the trust policy for `kafka.amazonaws.com`. Add inline permissions for AWS Secrets Manager (and AWS KMS if your secrets are CMK-encrypted) per [Additional SER permissions for SASL/SCRAM, mTLS, and customer managed keys](./msk-replicator-ser-additional-perms.html). See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html).
@@ -42 +42 @@ Attach the `AWSMSKReplicatorExecutionRole` managed policy and configure the trus
-###### Step 3: Configure SASL/SCRAM and SSL on self-managed cluster
+###### Step 3: Configure SASL/SCRAM or mTLS, and SSL on self-managed cluster
@@ -44 +44 @@ Attach the `AWSMSKReplicatorExecutionRole` managed policy and configure the trus
-Create dedicated SCRAM user with required ACL permissions. Configure SSL certificates. See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html).
+Configure authentication on your self-managed cluster. For SASL/SCRAM, create a dedicated SCRAM user with the required ACL permissions. For mTLS, configure an SSL listener with client certificate authentication. Configure SSL certificates. See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html).
@@ -48 +48 @@ Create dedicated SCRAM user with required ACL permissions. Configure SSL certifi
-Create secret with `username`, `password`, and `certificate` key-value pairs. See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html).
+Create a secret with the appropriate key-value pairs for your authentication type. For SASL/SCRAM, include `username`, `password`, and `certificate` fields. For mTLS, include `certificate` and `privateKey` fields (and optionally `privateKeyPassword` for encrypted private keys). See [Set up prerequisites for MSK Replicator with self-managed Apache Kafka clusters](./msk-replicator-external-prereqs.html).