Amazon Managed Streaming for Apache Kafka
Developer Guide

Amazon Managed Streaming for Apache Kafka Resource-Based Policy Examples

To learn how to create an MSK cluster, see Create an Amazon MSK Cluster.

Restricting Amazon MSK Cluster Access to Specific IP Addresses

The following example grants permissions to any user to perform any Amazon MSK operations on the specified cluster. However, the request must originate from the range of IP addresses specified in the condition.

The condition in this statement identifies the 54.240.143.* range of allowed Internet Protocol version 4 (IPv4) IP addresses, with one exception: 54.240.143.188.

The Condition block uses the IpAddress and NotIpAddress conditions and the aws:SourceIp condition key, which is an AWS-wide condition key. The aws:sourceIp IPv4 values use the standard CIDR notation. For more information, see IP Address Condition Operators in the IAM User Guide.

{ "Version": "2012-10-17", "Id": "MSKPolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": "*", "Action": "kafka:*", "Resource": "arn:aws:kafka:us-east-1:012345678012:cluster/purchaseQueriesCluster/abcdefab-1234-abcd-5678-cdef0123ab01-2", "Condition": { "IpAddress": {"aws:SourceIp": "54.240.143.0/24"}, "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} } } ] }