Overview

AutoMQ is a widely-used tool in enterprise core data links for transmitting vital business data. AutoMQ Cloud provides extensive and flexible security configuration options for the data plane, including identity recognition, permission control, and data encryption. This document outlines the security configuration features supported by AutoMQ on the data plane.

This section only addresses the security configuration of data plane instances. For details on managing member accounts, RBAC, and other aspects related to the BYOC console and the control plane, please refer to the documentation Overview▸.

Identity Recognition

The AutoMQ data plane (AutoMQ instance) offers Kafka API access capabilities and adheres to the identity recognition protocols provided by the Apache Kafka community, supporting the following identity recognition mechanisms.

Recognition Protocol	Description
Anonymous Mode	Protocol: PLAIN_TEXT Description: Users can access the cluster via the Kafka API without setting access credentials, thus accessing the AutoMQ instance anonymously with full operational privileges. It is not recommended to use anonymous mode in production environments. It is advised to perform strict identity verification using protocols such as SASL or mTLS.
SASL Mode	Protocols: SASL_PLAINTEXT, SASL_SSL Authentication Mechanisms: SCRAM-SHA-256, SCRAM-SHA-512, PLAIN Description: When accessing the cluster via the Kafka API, users need to set access credentials to identify the identity principal. This, in conjunction with the Kafka ACL authorization mechanism, verifies the operational permissions of the principal. Manage Kafka ACLs▸
Mutual TLS (mTLS)	Protocols: SSL Authentication Mechanism: SSL Description: When accessing the cluster via the Kafka API, a unique TLS certificate must be assigned to each client. Each TLS certificate corresponds to an identity principal in the Kafka ACL. After the server performs TLS verification, it identifies the corresponding identity principal and verifies the operational permissions of the principal using the Kafka ACL authorization mechanism. Manage Kafka ACLs▸

For configuration and usage methods of identity recognition protocols, refer to the following documentation:

• SASL Authentication▸

• Mutal TLS (mTLS) Authentication▸

Access Control

AutoMQ data plane (AutoMQ instance) provides access to Kafka APIs, following the ACL access control protocol established by the Apache Kafka community to offer permission management capabilities.

For configuration and instructions on Kafka ACLs, refer to Manage Kafka ACLs▸.

Data Protection and Encryption

AutoMQ Cloud provides customers with robust encryption capabilities for data in transit and at rest.

• Transmission Encryption: As noted in the referenced document, AutoMQ supports the mTLS protocol. When accessing data using mTLS, the transmission link is encrypted via TLS, ensuring data remains secure and protected against leakage during network transmission.

• Data Encryption at Rest: AutoMQ is built upon cloud storage, inherently supporting data storage encryption. This feature can be enabled when creating an installation in the BYOC console and during the creation of an AutoMQ instance. It supports transparent data encryption using cloud vendor-managed keys.

For configuring data encryption at rest, please refer to Data Encryption at Rest▸.