Cluster Security
Use this resource to update the security settings of a cluster.
URI
/v1/clusters/clusterArn/security
HTTP methods
OPTIONS
Enable CORS by returning the correct headers.
| Name | Type | Required | Description |
|---|---|---|---|
clusterArn | String | True | The Amazon Resource Name (ARN) that uniquely identifies the cluster. |
| Status code | Response model | Description |
|---|---|---|
200 | None | Default response for CORS method |
PATCH
Operation ID: UpdateSecurity
Updates security settings of the specified cluster.
| Name | Type | Required | Description |
|---|---|---|---|
clusterArn | String | True | The Amazon Resource Name (ARN) that uniquely identifies the cluster. |
| Status code | Response model | Description |
|---|---|---|
200 |
UpdateSecurityResponse | 200 response |
400 | Error | The request isn't valid because the input is incorrect. Correct your input and then submit it again. |
401 | Error | The request is not authorized. The provided credentials couldn't be validated. |
403 | Error | Access forbidden. Check your credentials and then retry your request. |
404 | Error | The resource could not be found due to incorrect input. Correct the input, then retry the request. |
429 | Error | 429 response |
500 | Error | There was an unexpected internal server error. Retrying your request might resolve the issue. |
503 | Error | 503 response |
Schemas
Request bodies
{ "clientAuthentication": { "sasl": { "iam": { "enabled": boolean }, "scram": { "enabled": boolean } }, "tls": { "certificateAuthorityArnList": [ "string" ], "enabled": boolean }, "unauthenticated": { "enabled": boolean } }, "currentVersion": "string", "encryptionInfo": { "encryptionAtRest": { "dataVolumeKMSKeyId": "string" }, "encryptionInTransit": { "clientBroker": enum, "inCluster": boolean } } }
Response bodies
{ "clusterArn": "string", "clusterOperationArn": "string" }
{ "invalidParameter": "string", "message": "string" }
Properties
ClientAuthentication
Includes all client authentication information.
| Property | Type | Required | Description |
|---|---|---|---|
sasl | False | Details for client authentication using SASL. To turn on SASL, you must also turn on | |
tls | False | Details for ClientAuthentication using TLS. To turn on TLS access control, you must also turn on | |
unauthenticated | False | Details for ClientAuthentication using no authentication. |
ClientBroker
Client-broker encryption in transit setting.
TLSTLS_PLAINTEXTPLAINTEXT
EncryptionAtRest
The data-volume encryption details. You can't update encryption at rest settings for existing clusters.
| Property | Type | Required | Description |
|---|---|---|---|
dataVolumeKMSKeyId | string | True | The Amazon Resource Name (ARN) of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it. |
EncryptionInTransit
The settings for encrypting data in transit.
| Property | Type | Required | Description |
|---|---|---|---|
clientBroker | False | Indicates the encryption setting for data in transit between clients and brokers. You must set it to one of the following values.
The default value is | |
inCluster | boolean | False | When set to true, it indicates that data communication among the broker nodes of the cluster is encrypted. When set to false, the communication happens in plaintext. The default value is true. |
EncryptionInfo
Includes encryption-related information, such as the Amazon KMS key used for encrypting data at rest and whether you want MSK to encrypt your data in transit.
| Property | Type | Required | Description |
|---|---|---|---|
encryptionAtRest | False | The data-volume encryption details. | |
encryptionInTransit | False | The details for encryption in transit. |
Error
Returns information about an error.
| Property | Type | Required | Description |
|---|---|---|---|
invalidParameter | string | False | The parameter that caused the error. |
message | string | False | The description of the error. |
IAM
Details for SASL/IAM client authentication.
| Property | Type | Required | Description |
|---|---|---|---|
enabled | boolean | False | SASL/IAM authentication is enabled or not. |
Sasl
Details for client authentication using SASL. To turn on SASL, you must also turn on EncryptionInTransit by setting inCluster to true. You must set clientBroker to either TLS or TLS_PLAINTEXT. If you choose TLS_PLAINTEXT, then you must also set unauthenticated to true.
Scram
Details for SASL/SCRAM client authentication.
| Property | Type | Required | Description |
|---|---|---|---|
enabled | boolean | False | SASL/SCRAM authentication is enabled or not. |
Tls
Details for client authentication using TLS.
| Property | Type | Required | Description |
|---|---|---|---|
certificateAuthorityArnList | Array of type string | False | List of AWS Private CA Amazon Resource Name (ARN)s. |
enabled | boolean | False | TLS authentication is enabled or not. |
Unauthenticated
Details for allowing no client authentication.
| Property | Type | Required | Description |
|---|---|---|---|
enabled | boolean | False | Unauthenticated is enabled or not. |
UpdateSecurityRequest
Request body for UpdateSecurity.
| Property | Type | Required | Description |
|---|---|---|---|
clientAuthentication | False | The client authentication info details. | |
currentVersion | string | True | Current cluster version. |
encryptionInfo | False | The encryption info details. |
UpdateSecurityResponse
Response body for UpdateSecurity.
| Property | Type | Required | Description |
|---|---|---|---|
clusterArn | string | False | The Amazon Resource Name (ARN) of the cluster. |
clusterOperationArn | string | False | The Amazon Resource Name (ARN) of the cluster operation. |
See also
For more information about using this API in one of the language-specific AWS SDKs and references, see the following:
UpdateSecurity
