Amazon MSK Authentication and Authorization

Question

Hello world,

Let's say I have 3 sets of users consuming 2 topics and I want:
User 1 to have full control to both topics;
User 2 can have full control to topic 1;
User 3  can subscribe to topic 2.

What is the best way of implementing such?

Thank you

Answer

The recommended way to achieve this is using IAM authentication. IAM controls both who can be authenticated and authorized to use Amazon MSK resources. For your use case, "kafka-cluster:*" Action must be allowed on all topics (eg : arn:aws:kafka:::topic/ClusterName/*) in the authorization policy of User 1.

Similar authorization policy can be used for User 2 and User 3 but only for one topic ( arn:aws:kafka:::topic/ClusterName/). Complete information about IAM authentication and authorization - [1] https://aws.amazon.com/blogs/big-data/securing-apache-kafka-is-easy-and-familiar-with-iam-access-control-for-amazon-msk/.

One other way if using SASL/SCRAM or TLS auth is to use ACLs. By setting ACLs you can restrict who can access topics - [2] https://docs.aws.amazon.com/msk/latest/developerguide/msk-acls.html

Amazon MSK Authentication and Authorization

관련 콘텐츠