Bobcares
Client Area
Emergency Support
Amazon Web Services (AWS) | Latest

AWS MSK authentication

by | May 3, 2022

Wondering how to configure AWS MSK authentication? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how our Support techs assist with this query.

How to configure AWS MSK authentication?

AWS Lambda is introducing mutual TLS (mTLS) authentication for Amazon MSK and self-managed Kafka as an event source.

By default, the TLS protocol only requires a server to authenticate itself to the client.

The authentication of the client to the server is manage by the application layer.

The TLS protocol also offers the ability for the server to request that the client send an X.509 certificate to prove its identity.

This is called mutual TLS as both parties are authenticated via certificates with TLS.

Today, let us see the steps followed by our Support Techs for using mutual TLS authentication for Amazon MSK as event source for Lambda are:

  1. Firstly, create a private certificate authority (CA) using AWS Certificate Manager (ACM) Private Certificate Authority (PCA).
  2. Next, create a client certificate and private key. Store them as secret in AWS Secrets Manager.
  3. Then, create an Amazon MSK cluster and a consuming Lambda function using the AWS Serverless Application Model (AWS SAM).
  4. Finally, cttach the event source mapping.

1. Creating a private CA.

To use mutual TLS client authentication with Amazon MSK, create a root CA using AWS ACM Private Certificate Authority (PCA).

  1. Firstly, from the AWS Certificate Manager console, choose Create a Private CA.
  2. Then, in the Select CA type panel, select Root CA and choose Next.
  3. Next, in the Configure CA subject name panel, provide your certificate details, and choose Next.
  4. Then, from the Configure CA key algorithm panel, choose the key algorithm for your CA and choose Next.
  5. From the Configure revocation panel, choose any optional certificate revocation options you require and choose Next.
  6. Continue through the screens to add any tags required, allow ACM to renew certificates, review your options, and confirm pricing. Choose Confirm and create.
  7. Once the CA is create, choose Install CA certificate to activate your CA. Configure the validity of the certificate and the signature algorithm and choose Next.
  8. Finally, review the certificate details and choose Confirm and install.

2. Creating a client certificate.

You generate a client certificate using the root certificate you previously create, which is used to authenticate the client with the Amazon MSK cluster using mutual TLS.

  1. On your local machine, run the following command to create a private key and certificate signing request using OpenSSL. Enter your certificate details. This creates a private key file and a certificate signing request file in the current directory.
  2. Use the AWS CLI to sign your certificate request with the private CA previously created. Replace Private-CA-ARN with the ARN of your private CA. The certificate validity value is set to 300, change this if necessary. Save the certificate ARN provided in the response.
  3. Then, retrieve the certificate that ACM signed for you. Replace the Private-CA-ARN and Certificate-ARN with the ARN you obtained from the previous commands. This creates a signed certificate file called client_cert.pem.
  4. Create a new file called secret.json with the following structure
  5. Copy the contents of the client_cert.pem in certificate and the content of key.pem in privatekey. Ensure that there are no extra spaces added.The file structure looks like this:
  6. Finally, create the secret and save the ARN for the next section.
aws secretsmanager create-secret --name msk/mtls/lambda/clientcert --secret-string file://secret.json

3. Setting up an Amazon MSK cluster with AWS Lambda as a consumer.

Amazon MSK is a highly available service, so it must be configured to run in a minimum of two Availability Zones in your preferred Region.

To comply with security best practice, the brokers are usually configured in private subnets in each Region.

You can use AWS CLI, AWS Management Console, AWS SDK and AWS CloudFormation to create the cluster and the Lambda functions.

This blog uses AWS SAM to create the infrastructure and the associated code is available in the GitHub repository.

The AWS SAM template creates the following resources:

1. Firstly, amazon Virtual Private Cloud (VPC).
2. Secondly, amazon MSK cluster with mutual TLS authentication.
3. Then, lambda function for consuming the records from the Amazon MSK cluster.
4. IAM roles.
5. ambda function for testing the Amazon MSK integration by publishing messages to the topic.

The VPC has public and private subnets in two Availability Zones with the private subnets configured to use a NAT Gateway.

You can also set up VPC endpoints with PrivateLink to allow the Amazon MSK cluster to communicate with Lambda.

The Lambda function requires permission to describe VPCs and security groups, and manage elastic network interfaces to access the Amazon MSK data stream.

The Lambda function also needs two Kafka permissions: kafka:DescribeCluster and kafka:GetBootstrapBrokers.

The policy template AWSLambdaMSKExecutionRole includes these permissions.

The Lambda function also requires permission to get the secret value from AWS Secrets Manager for the secret you configure in the event source mapping.

ConsumerLambdaFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole
Policies:
- PolicyName: SecretAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "SecretsManager:GetSecretValue"
Resource: "*"

YAML

This release adds two new SourceAccessConfiguration types to the Lambda event source mapping:

1. CLIENT_CERTIFICATE_TLS_AUTH – (Amazon MSK, Self-managed Apache Kafka)

2. SERVER_ROOT_CA_CERTIFICATE – This is only for self-managed Apache Kafka.

[Need help with the process? We’d be happy to assist]

Conclusion

In short, we saw steps followed by our Support Techs to configure AWS MSK authentication

Related posts:

  1. “Failed to communicate with AWS Elastic Beanstalk”- How to fix AWS error
  2. DMS Endpoint Connectivity Failures – Troubleshoot & Fix
  3. VpcPeeringConnection failed to stabilize | Resolved
  4. Add Routes to Main Route Table in VPC

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. “Failed to communicate with AWS Elastic Beanstalk”- How to fix AWS error
  2. DMS Endpoint Connectivity Failures – Troubleshoot & Fix
  3. VpcPeeringConnection failed to stabilize | Resolved
  4. Add Routes to Main Route Table in VPC

Never again lose customers to poor
server speed! Let us help you.

GET STARTED

Privacy Preference Center

Consent Management

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Privacy Policy

Required
By using this site, you agree to our Privacy Policy.

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

Cookies Used

Required
PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]

livechat.bobcares.com

Opt Out
PHPSESSID

my.bobcares.com

Opt Out
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

Cookies Used

_ga, _gat, _gid

google.com

Opt Out
_ga, _gat, _gid

manager.smartlook.com

Opt Out
smartlookCookie

clarity.microsoft.com

Opt Out
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

Cookies Used

IDE, test_cookie, 1P_JAR, NID, DV, NID

doubleclick.net

Opt Out
IDE, test_cookie

google.co.in

Opt Out
1P_JAR, NID, DV

google.com

Opt Out
NID

olark.com

Opt Out
hblid

rb2b.com

Opt Out
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

Cookies Used

SID, APISID, HSID, NID, PREF

google.com

Opt Out
SID, APISID, HSID, NID, PREF