Cluster Security - Amazon Managed Streaming for Apache Kafka

Cluster Security

Use this resource to update the security settings of a cluster.

URI

/v1/clusters/clusterArn/security

HTTP methods

OPTIONS

Enable CORS by returning the correct headers.

Path parameters
Name Type Required Description
clusterArn String True

The Amazon Resource Name (ARN) that uniquely identifies the cluster.

Responses
Status code Response model Description
200 None

Default response for CORS method

PATCH

Operation ID: UpdateSecurity

Updates security settings of the specified cluster.

Path parameters
Name Type Required Description
clusterArn String True

The Amazon Resource Name (ARN) that uniquely identifies the cluster.

Responses
Status code Response model Description
200 UpdateSecurityResponse

200 response

400 Error

The request isn't valid because the input is incorrect. Correct your input and then submit it again.

401 Error

The request is not authorized. The provided credentials couldn't be validated.

403 Error

Access forbidden. Check your credentials and then retry your request.

404 Error

The resource could not be found due to incorrect input. Correct the input, then retry the request.

429 Error

429 response

500 Error

There was an unexpected internal server error. Retrying your request might resolve the issue.

503 Error

503 response

Schemas

Request bodies

{ "encryptionInfo": { "encryptionInTransit": { "inCluster": boolean, "clientBroker": enum }, "encryptionAtRest": { "dataVolumeKMSKeyId": "string" } }, "clientAuthentication": { "sasl": { "iam": { "enabled": boolean }, "scram": { "enabled": boolean } }, "unauthenticated": { "enabled": boolean }, "tls": { "certificateAuthorityArnList": [ "string" ], "enabled": boolean } }, "currentVersion": "string" }

Response bodies

{ "clusterArn": "string", "clusterOperationArn": "string" }
{ "message": "string", "invalidParameter": "string" }

Properties

ClientAuthentication

Includes all client authentication information.

Property Type Required Description
sasl

Sasl

False

Details for client authentication using SASL. To turn on SASL, you must also turn on EncryptionInTransit by setting inCluster to true. You must set clientBroker to either TLS or TLS_PLAINTEXT. If you choose TLS_PLAINTEXT, then you must also set unauthenticated to true.

tls

Tls

False

Details for ClientAuthentication using TLS. To turn on TLS access control, you must also turn on EncryptionInTransit by setting inCluster to true and clientBroker to TLS.

unauthenticated

Unauthenticated

False

Details for ClientAuthentication using no authentication.

ClientBroker

Client-broker encryption in transit setting.

  • TLS

  • TLS_PLAINTEXT

  • PLAINTEXT

EncryptionAtRest

The data-volume encryption details.

Property Type Required Description
dataVolumeKMSKeyId

string

True

The ARN of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.

EncryptionInTransit

The settings for encrypting data in transit.

Property Type Required Description
clientBroker

ClientBroker

False

Indicates the encryption setting for data in transit between clients and brokers. You must set it to one of the following values.

TLS means that client-broker communication is enabled with TLS only.

TLS_PLAINTEXT means that client-broker communication is enabled for both TLS-encrypted, as well as plaintext data.

PLAINTEXT means that client-broker communication is enabled in plaintext only.

The default value is TLS.

inCluster

boolean

False

When set to true, it indicates that data communication among the broker nodes of the cluster is encrypted. When set to false, the communication happens in plaintext.

The default value is true.

EncryptionInfo

Includes encryption-related information, such as the Amazon KMS key used for encrypting data at rest and whether you want MSK to encrypt your data in transit.

Property Type Required Description
encryptionAtRest

EncryptionAtRest

False

The data-volume encryption details.

encryptionInTransit

EncryptionInTransit

False

The details for encryption in transit.

Error

Returns information about an error.

Property Type Required Description
invalidParameter

string

False

The parameter that caused the error.

message

string

False

The description of the error.

IAM

Details for SASL/IAM client authentication.

Property Type Required Description
enabled

boolean

False

SASL/IAM authentication is enabled or not.

Sasl

Details for client authentication using SASL. To turn on SASL, you must also turn on EncryptionInTransit by setting inCluster to true. You must set clientBroker to either TLS or TLS_PLAINTEXT. If you choose TLS_PLAINTEXT, then you must also set unauthenticated to true.

Property Type Required Description
iam

IAM

False

Details for ClientAuthentication using IAM.

scram

Scram

False

Details for SASL/SCRAM client authentication.

Scram

Details for SASL/SCRAM client authentication.

Property Type Required Description
enabled

boolean

False

SASL/SCRAM authentication is enabled or not.

Tls

Details for client authentication using TLS.

Property Type Required Description
certificateAuthorityArnList

Array of type string

False

List of ACM Certificate Authority ARNs.

enabled

boolean

False

TLS authentication is enabled or not.

Unauthenticated

Details for allowing no client authentication.

Property Type Required Description
enabled

boolean

False

Unauthenticated is enabled or not.

UpdateSecurityRequest

Request body for UpdateSecurity.

Property Type Required Description
clientAuthentication

ClientAuthentication

False

The client authentication info details.

currentVersion

string

True

Current cluster version.

encryptionInfo

EncryptionInfo

False

The encryption info details.

UpdateSecurityResponse

Response body for UpdateSecurity.

Property Type Required Description
clusterArn

string

False

The Amazon Resource Name (ARN) of the cluster.

clusterOperationArn

string

False

The Amazon Resource Name (ARN) of the cluster operation.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

UpdateSecurity