Authentication and authorization for Apache Kafka APIs
You can use IAM to authenticate clients and to allow or deny Apache Kafka actions. Alternatively, you can use TLS or SASL/SCRAM to authenticate clients, and Apache Kafka ACLs to allow or deny actions.
For information on how to control who can perform Amazon MSK operations on your cluster, see Authentication and authorization for Amazon MSK APIs.