Mutual TLS client authentication for Amazon MSK
You can enable client authentication with TLS for connections from your applications to your Amazon MSK brokers. To use client authentication, you need an Amazon Private CA. The Amazon Private CA can be either in the same Amazon Web Services account as your cluster, or in a different account. For information about Amazon Private CAs, see Creating and Managing a Amazon Private CA.
Note
TLS authentication is not currently available in the Beijing and Ningxia Regions.
Amazon MSK doesn't support certificate revocation lists (CRLs). To control access to your cluster topics or block compromised certificates, use Apache Kafka ACLs and Amazon security groups. For information about using Apache Kafka ACLs, see Apache Kafka ACLs.