Links

AWS - MSK Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

MSK

For more information about MSK (Kafka) check:

msk:ListClusters, msk:UpdateSecurity

With these privileges and access to the VPC where the kafka brokers are, you could add the None authentication to access them.
aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>
You need access to the VPC because you cannot enable None authentication with Kafka publicly exposed. If it's publicly exposed, if SASL/SCRAM authentication is used, you could read the secret to access (you will need additional privileges to read the secret). If IAM role-based authentication is used and kafka is publicly exposed you could still abuse these privileges to give you permissions to access it.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: