IAM access control - Amazon Managed Streaming for Apache Kafka

IAM access control

IAM access control for Amazon MSK enables you to handle both authentication and authorization for your MSK cluster. This eliminates the need to use one mechanism for authentication and another for authorization. For example, when a client tries to write to your cluster, Amazon MSK uses IAM to check whether that client is an authenticated identity and also whether it is authorized to produce to your cluster. IAM access control works for Java and non-Java clients, including Kafka clients written in Python, Go, JavaScript, and .NET.

Amazon MSK logs access events so you can audit them. For more information, see Log API calls with AWS CloudTrail.

To make IAM access control possible, Amazon MSK makes minor modifications to Apache Kafka source code. These modifications won't cause a noticeable difference in your Apache Kafka experience.

Important

IAM access control doesn't apply to Apache ZooKeeper nodes. For information about how you can control access to those nodes, see Control access to Apache ZooKeeper nodes in your Amazon MSK cluster.

Important

The allow.everyone.if.no.acl.found Apache Kafka setting has no effect if your cluster uses IAM access control.

Important

You can invoke Apache Kafka ACL APIs for an MSK cluster that uses IAM access control. However, Apache Kafka ACLs have no effect on authorization for IAM roles. You must use IAM policies to control access for IAM roles.