IAM access control
IAM access control for Amazon MSK enables you to handle both authentication and authorization for your MSK cluster. This eliminates the need to use one mechanism for authentication and another for authorization. For example, when a client tries to write to your cluster, Amazon MSK uses IAM to check whether that client is an authenticated identity and also whether it is authorized to produce to your cluster. IAM access control works for Java and non-Java clients, including Kafka clients written in Python, Go, JavaScript, and .NET.
Amazon MSK logs access events so you can audit them. For more information, see Log API calls with AWS CloudTrail.
To make IAM access control possible, Amazon MSK makes minor modifications to Apache Kafka source code. These modifications won't cause a noticeable difference in your Apache Kafka experience.
Important
IAM access control doesn't apply to Apache ZooKeeper nodes. For information about how you can control access to those nodes, see Control access to Apache ZooKeeper nodes in your Amazon MSK cluster.
Important
The allow.everyone.if.no.acl.found
Apache Kafka setting has no effect if
your cluster uses IAM access control.
Important
You can invoke Apache Kafka ACL APIs for an MSK cluster that uses IAM access control. However, Apache Kafka ACLs have no effect on authorization for IAM roles. You must use IAM policies to control access for IAM roles.