AWS Security ChangesHomeSearch

AWS msk documentation change

Service: msk · 2026-06-25 · Documentation low

File: msk/latest/developerguide/msk-replicator-supported-configs.md

Summary

Added support for mTLS authentication in addition to SASL/SCRAM for self-managed Apache Kafka source clusters

Security assessment

The change introduces mTLS as a new authentication method for source clusters, which enhances security by providing certificate-based mutual authentication. However, there's no evidence of a specific security vulnerability being addressed.

Diff

diff --git a/msk/latest/developerguide/msk-replicator-supported-configs.md b/msk/latest/developerguide/msk-replicator-supported-configs.md
index 8fa5b420f..b3b5c9847 100644
--- a//msk/latest/developerguide/msk-replicator-supported-configs.md
+++ b//msk/latest/developerguide/msk-replicator-supported-configs.md
@@ -17 +17 @@ The following are requirements for cluster types, Kafka versions, instance types
-  * MSK Replicator also supports self-managed Apache Kafka clusters (Kafka version 2.8.1 or later) with SASL/SCRAM authentication as source clusters when replicating to Amazon MSK Provisioned clusters with Express brokers. For more information, see [Migrate from non-MSK Apache Kafka clusters to Amazon MSK Express brokers](./msk-replicator-migrate-external.html).
+  * MSK Replicator also supports self-managed Apache Kafka clusters (Kafka version 2.8.1 or later) with SASL/SCRAM or mTLS authentication as source clusters when replicating to Amazon MSK Provisioned clusters with Express brokers. For more information, see [Migrate from non-MSK Apache Kafka clusters to Amazon MSK Express brokers](./msk-replicator-migrate-external.html).
@@ -38 +38 @@ The following are requirements for cluster types, Kafka versions, instance types
-  * If you are using MSK Replicator with a self-managed Apache Kafka cluster as the source, the self-managed cluster must have SASL/SCRAM authentication enabled.
+  * If you are using MSK Replicator with a self-managed Apache Kafka cluster as the source, the self-managed cluster must have SASL/SCRAM or mTLS authentication enabled.