AWS Security ChangesHomeSearch

AWS msk documentation change

Service: msk · 2026-06-25 · Documentation low

File: msk/latest/developerguide/msk-replicator-ser-additional-perms.md

Summary

Expanded IAM permissions documentation to cover mTLS authentication and restructured CMK decryption requirements

Security assessment

The update documents required permissions for mTLS secrets management and clarifies CMK usage, improving security posture documentation. No vulnerability fix is indicated; this aligns permissions with the new mTLS feature.

Diff

diff --git a/msk/latest/developerguide/msk-replicator-ser-additional-perms.md b/msk/latest/developerguide/msk-replicator-ser-additional-perms.md
index 9000808b1..63a1cd0e7 100644
--- a//msk/latest/developerguide/msk-replicator-ser-additional-perms.md
+++ b//msk/latest/developerguide/msk-replicator-ser-additional-perms.md
@@ -7 +7 @@
-# Additional SER permissions for SASL/SCRAM and customer managed keys
+# Additional SER permissions for SASL/SCRAM, mTLS, and customer managed keys
@@ -9 +9 @@
-The `AWSMSKReplicatorExecutionRole` managed policy covers cluster, topic, and consumer group permissions for IAM auth. When you replicate to or from a cluster that uses SASL/SCRAM authentication (for example, when migrating from a self-managed Apache Kafka cluster), or when your SCRAM secret or private CA certificate is encrypted with a customer managed key (CMK), you need to attach additional inline permissions to the service execution role.
+The `AWSMSKReplicatorExecutionRole` managed policy covers cluster, topic, and consumer group permissions for IAM auth. When you replicate to or from a cluster that uses SASL/SCRAM or mTLS authentication (for example, when migrating from a self-managed Apache Kafka cluster), or when your secret is encrypted with a customer managed key (CMK), you need to attach additional inline permissions to the service execution role.
@@ -38 +38 @@ Grants the SER permission to read SCRAM credentials and (optionally) the private
-###### SCRAM secret or CA certificate encrypted with a customer managed key
+###### mTLS secret (with or without TLS root CA secret)
@@ -40 +40 @@ Grants the SER permission to read SCRAM credentials and (optionally) the private
-If the secret or certificate is encrypted with a CMK rather than the AWS-managed key, also grant `kms:Decrypt` on the CMK. Replace `<customerManagedKeyArn>` with the CMK ARN.
+Grants the SER permission to read the client certificate and private key from AWS Secrets Manager. Replace `<mtlsSecretArn>` with the ARN of your mTLS secret and `<privateCaCertSecretArn>` with the secret holding the server CA certificate (omit the second ARN if you use a publicly trusted certificate).
@@ -56 +56,26 @@ If the secret or certificate is encrypted with a CMK rather than the AWS-managed
-                    "<saslSecretArn>",
+                    "<mtlsSecretArn>",
+                    "<privateCaCertSecretArn>"
+                ]
+            }
+        ]
+    }
+
+###### Secret encrypted with a customer managed key
+
+If the secret is encrypted with a CMK rather than the AWS-managed key, also grant `kms:Decrypt` on the CMK. Replace `<customerManagedKeyArn>` with the CMK ARN.
+    
+    
+    {
+        "Version": "2012-10-17", 
+        "Statement": [
+            {
+                "Sid": "SecretsManagerPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "secretsmanager:GetResourcePolicy",
+                    "secretsmanager:GetSecretValue",
+                    "secretsmanager:DescribeSecret",
+                    "secretsmanager:ListSecretVersionIds"
+                ],
+                "Resource": [
+                    "<secretArn>",