Cluster Security - Amazon Managed Streaming for Apache Kafka

Cluster Security

Use this resource to update the security settings of a cluster.

URI

/v1/clusters/clusterArn/security

HTTP methods

OPTIONS

Enable CORS by returning the correct headers.

Path parameters
NameTypeRequiredDescription
clusterArnStringTrue

The Amazon Resource Name (ARN) that uniquely identifies the cluster.

Responses
Status codeResponse modelDescription
200None

Default response for CORS method

PATCH

Operation ID: UpdateSecurity

Updates security settings of the specified cluster.

Path parameters
NameTypeRequiredDescription
clusterArnStringTrue

The Amazon Resource Name (ARN) that uniquely identifies the cluster.

Responses
Status codeResponse modelDescription
200 UpdateSecurityResponse

200 response

400Error

The request isn't valid because the input is incorrect. Correct your input and then submit it again.

401Error

The request is not authorized. The provided credentials couldn't be validated.

403Error

Access forbidden. Check your credentials and then retry your request.

404Error

The resource could not be found due to incorrect input. Correct the input, then retry the request.

429Error

429 response

500Error

There was an unexpected internal server error. Retrying your request might resolve the issue.

503Error

503 response

Schemas

Request bodies

{ "encryptionInfo": { "encryptionInTransit": { "inCluster": boolean, "clientBroker": enum }, "encryptionAtRest": { "dataVolumeKMSKeyId": "string" } }, "clientAuthentication": { "sasl": { "iam": { "enabled": boolean }, "scram": { "enabled": boolean } }, "unauthenticated": { "enabled": boolean }, "tls": { "certificateAuthorityArnList": [ "string" ], "enabled": boolean } }, "currentVersion": "string" }

Response bodies

{ "clusterArn": "string", "clusterOperationArn": "string" }
{ "message": "string", "invalidParameter": "string" }

Properties

ClientAuthentication

Includes all client authentication information.

PropertyTypeRequiredDescription
sasl

Sasl

False

Details for client authentication using SASL. To turn on SASL, you must also turn on EncryptionInTransit by setting inCluster to true. You must set clientBroker to either TLS or TLS_PLAINTEXT. If you choose TLS_PLAINTEXT, then you must also set unauthenticated to true.

tls

Tls

False

Details for ClientAuthentication using TLS. To turn on TLS access control, you must also turn on EncryptionInTransit by setting inCluster to true and clientBroker to TLS.

unauthenticated

Unauthenticated

False

Details for ClientAuthentication using no authentication.

ClientBroker

Client-broker encryption in transit setting.

  • TLS

  • TLS_PLAINTEXT

  • PLAINTEXT

EncryptionAtRest

The data-volume encryption details. You can't update encryption at rest settings for existing clusters.

PropertyTypeRequiredDescription
dataVolumeKMSKeyId

string

True

The ARN of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.

EncryptionInTransit

The settings for encrypting data in transit.

PropertyTypeRequiredDescription
clientBroker

ClientBroker

False

Indicates the encryption setting for data in transit between clients and brokers. You must set it to one of the following values.

TLS means that client-broker communication is enabled with TLS only.

TLS_PLAINTEXT means that client-broker communication is enabled for both TLS-encrypted, as well as plaintext data.

PLAINTEXT means that client-broker communication is enabled in plaintext only.

The default value is TLS.

inCluster

boolean

False

When set to true, it indicates that data communication among the broker nodes of the cluster is encrypted. When set to false, the communication happens in plaintext.

The default value is true.

EncryptionInfo

Includes encryption-related information, such as the Amazon KMS key used for encrypting data at rest and whether you want MSK to encrypt your data in transit.

PropertyTypeRequiredDescription
encryptionAtRest

EncryptionAtRest

False

The data-volume encryption details.

encryptionInTransit

EncryptionInTransit

False

The details for encryption in transit.

Error

Returns information about an error.

PropertyTypeRequiredDescription
invalidParameter

string

False

The parameter that caused the error.

message

string

False

The description of the error.

IAM

Details for SASL/IAM client authentication.

PropertyTypeRequiredDescription
enabled

boolean

False

SASL/IAM authentication is enabled or not.

Sasl

Details for client authentication using SASL. To turn on SASL, you must also turn on EncryptionInTransit by setting inCluster to true. You must set clientBroker to either TLS or TLS_PLAINTEXT. If you choose TLS_PLAINTEXT, then you must also set unauthenticated to true.

PropertyTypeRequiredDescription
iam

IAM

False

Details for ClientAuthentication using IAM.

scram

Scram

False

Details for SASL/SCRAM client authentication.

Scram

Details for SASL/SCRAM client authentication.

PropertyTypeRequiredDescription
enabled

boolean

False

SASL/SCRAM authentication is enabled or not.

Tls

Details for client authentication using TLS.

PropertyTypeRequiredDescription
certificateAuthorityArnList

Array of type string

False

List of ACM Certificate Authority ARNs.

enabled

boolean

False

TLS authentication is enabled or not.

Unauthenticated

Details for allowing no client authentication.

PropertyTypeRequiredDescription
enabled

boolean

False

Unauthenticated is enabled or not.

UpdateSecurityRequest

Request body for UpdateSecurity.

PropertyTypeRequiredDescription
clientAuthentication

ClientAuthentication

False

The client authentication info details.

currentVersion

string

True

Current cluster version.

encryptionInfo

EncryptionInfo

False

The encryption info details.

UpdateSecurityResponse

Response body for UpdateSecurity.

PropertyTypeRequiredDescription
clusterArn

string

False

The Amazon Resource Name (ARN) of the cluster.

clusterOperationArn

string

False

The Amazon Resource Name (ARN) of the cluster operation.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

UpdateSecurity