i want to be able to authenticate/authorize clients to produce/consume messages on certain topics. they would be part of our vpn (incl. aws). as i understand the available documentation the only option to do this is to issue client certificates and setup ACLs based on the clients DNs? Unfortunately i was not able to use my private CA (that i've created on my linux laptop) to create client certs. so the following questions arise:
- is it correct that i need to setup an AWS hosted CA (ACM PCA). that would result in almost twice the setup costs incl. the minimum broker configs.
- i could proxy the outer world into the msk cluster via something like "kafka rest proxy" from confluent - correct?
- am i missing something? is there an easier way built into AWS?
please enlighten me :)
thanks in advance marcel