TLS Encryption in transit

Enable Encryption in-transit using the AWS console

Tip: You cannot enable encryption on an already created cluster, nor can you turn it off on a cluster configured with encryption, you can only turn on encryption in-transit during cluster creation.

  • If you want to enable encrypted traffic within the cluster, click on the checkbox next to Enable encryption within the cluster.

  • If you want to enable encrypted traffic between Apache Kafka clients and the Amazon MSK cluster, click on either

    • Only TLS encrypted traffic allowed - This allows only TLS encrypted traffic.
    • Both TLS encrypted and plaintext traffic allowed - This allows both non encrypted and encrypted traffic. Use this if you could have some clients that might need to connect without TLS encryption.

Note that this can impact the performance of the cluster in production. If you don’t need this level of encryption consider leaving it off.