msk-permissions.md

Managing access and permissions for an Amazon MSK cluster

Lambda polls your Apache Kafka topic partitions for new records and invokes your Lambda function synchronously. To update other AWS resources that your cluster uses, your Lambda function—as well as your AWS Identity and Access Management (IAM) users and roles—must have permission to perform these actions.

This page describes how to grant permission to Lambda and other users of your Amazon MSK cluster.

Required Lambda function permissions

To read records from your Amazon MSK cluster on your behalf, your Lambda function's execution role must have permission. You can either add the AWS managed policy AWSLambdaMSKExecutionRole to your execution role, or create a custom policy with permission to perform the following actions:

• kafka:DescribeCluster
• kafka:GetBootstrapBrokers
• ec2:CreateNetworkInterface
• ec2:DescribeNetworkInterfaces
• ec2:DescribeVpcs
• ec2:DeleteNetworkInterface
• ec2:DescribeSubnets
• ec2:DescribeSecurityGroups
• logs:CreateLogGroup
• logs:CreateLogStream
• logs:PutLogEvents

Adding a policy to your execution role

Follow these steps to add the AWS managed policy AWSLambdaMSKExecutionRole to your execution role using the IAM console.

To add an AWS managed policy

1. Open the Policies page of the IAM console.

2. In the search box, enter the policy name (AWSLambdaMSKExecutionRole).

3. Select the policy from the list, and then choose Policy actions, Attach.

4. Select your execution role from the list, and then choose Attach policy.

Granting users access with an IAM policy

By default, IAM users and roles don't have permission to perform Amazon MSK API operations. To grant access to users in your organization or account, you might need an identity-based policy. For more information, see Amazon Managed Streaming for Apache Kafka Identity-Based Policy Examples in the Amazon Managed Streaming for Apache Kafka Developer Guide.

Using SASL/SCRAM authentication

Amazon MSK supports Simple Authentication and Security Layer/Salted Challenge Response Authentication Mechanism (SASL/SCRAM) authentication. You can control access to your Amazon MSK clusters by setting up user name and password authentication using an AWS Secrets Manager secret. For more information, see Using Username and Password Authentication with AWS Secrets Manager in the Amazon Managed Streaming for Apache Kafka Developer Guide.