Security options for Kafka connections
Learn how to configure security protocols, SASL mechanisms, and TLS/SSL settings for Kafka connections, including required properties and validation rules.
This page describes the available security options and validation rules. For step-by-step instructions in the Manage Connections wizard, see Configure Kafka authentication.
When you configure a Kafka connection, you can choose one of the following Security Protocol options:
|
Protocol |
Encryption |
Authentication |
Typical use case |
|---|---|---|---|
|
SASL_SSL |
TLS |
SASL (username/password) |
Recommended for production |
|
SASL_PLAINTEXT |
None |
SASL (username/password) |
Development/testing only |
|
SSL |
TLS |
Optional client certificate (mutual TLS) |
When SASL is not available |
|
PLAINTEXT |
None |
None |
Development/testing only |
A supported security protocol is required. If you attempt to create or activate a Kafka connection without specifying the security protocol, validation fails.
When you choose PLAINTEXT, the wizard displays a warning that the protocol sends data unencrypted with no authentication and should only be used in development or fully trusted networks.
SASL mechanisms
If you choose a SASL protocol (SASL_SSL or SASL_PLAINTEXT), you must also select a SASL Mechanism:
|
Mechanism |
Login module |
Description |
|---|---|---|
|
PLAIN |
PlainLoginModule |
Simple username/password; use only with TLS |
|
SCRAM-SHA-256 |
ScramLoginModule |
Salted challenge‑response; more secure than PLAIN |
|
SCRAM-SHA-512 |
ScramLoginModule |
Same as SCRAM‑SHA‑256 but uses SHA‑512 |
For SASL protocols:
-
A SASL mechanism (
sasl.mechanism) is required. -
sasl.jaas.configmust contain a JAAS login configuration string with non‑emptyusernameandpasswordand the correct login module for the chosen mechanism. -
SASL properties (
sasl.mechanism,sasl.jaas.config) are only valid with SASL_SSL or SASL_PLAINTEXT; they are rejected on PLAINTEXT or SSL connections.
sasl.mechanism field uses the full mechanism name (PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512). In the UI, SCRAM mechanisms are grouped under a single SCRAM option, with a Mechanism Variant selector for SCRAM-SHA-256 or SCRAM-SHA-512.TLS / SSL configuration
When you choose SSL or SASL_SSL, additional TLS / SSL settings are required:
-
Truststore Type: JKS or PKCS12 (Java Key Store or PKCS #12). Choose the option that matches the format of your existing truststore file.
-
Truststore Location: Upload your truststore file; the underlying API accepts the content as Base64‑encoded data.
-
Truststore Password: Password for the truststore.
-
ssl.endpoint.identification.algorithm (optional): Only
httpsis accepted to enable hostname verification. Disabling hostname verification by setting this field to an empty string or any other value is not supported. -
Mutual TLS / client certificate (optional):
-
Keystore Location (optional): Upload your keystore file (Base64‑encoded content in the API).
-
Keystore Password (required when a keystore is provided).
-
Key Password (optional): Password for the private key in the keystore.
-
Validation enforces the following rules:
-
Providing a truststore location without a truststore password is rejected.
-
Providing a keystore location without a keystore password is rejected.
-
Setting
ssl.key.passwordwithout an associated keystore is rejected. -
SSL properties (
ssl.truststore.*,ssl.keystore.*) are valid only with SSL or SASL_SSL. -
File size limit: Truststore and keystore uploads are limited to 1 MB of decoded content. Larger files are rejected with an error indicating that the SSL file exceeds the maximum size.
All uploaded files and passwords are treated as secrets: they are extracted at creation time, stored securely in AWS Secrets Manager, merged back at runtime when the connection is used, and never returned in API responses.