Mutual TLS client authentication for Amazon MSK - Amazon Managed Streaming for Apache Kafka
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Mutual TLS client authentication for Amazon MSK

You can enable client authentication with TLS for connections from your applications to your Amazon MSK brokers. To use client authentication, you need an Amazon Private CA. The Amazon Private CA can be either in the same Amazon Web Services account as your cluster, or in a different account. For information about Amazon Private CAs, see Creating and Managing a Amazon Private CA.

Note

TLS authentication is not currently available in the Beijing and Ningxia Regions.

Amazon MSK doesn't support certificate revocation lists (CRLs). To control access to your cluster topics or block compromised certificates, use Apache Kafka ACLs and Amazon security groups. For information about using Apache Kafka ACLs, see Apache Kafka ACLs.