aws · mergify · Sep 15, 2022 · Sep 14, 2022 · Sep 14, 2022 · Sep 14, 2022
diff --git a/packages/@aws-cdk/aws-msk/README.md b/packages/@aws-cdk/aws-msk/README.md
@@ -84,8 +84,6 @@ const cluster = msk.Cluster.fromClusterArn(this, 'Cluster',
 
 [MSK supports](https://docs.aws.amazon.com/msk/latest/developerguide/kafka_apis_iam.html) the following authentication mechanisms.
 
-> Only one authentication method can be enabled.
-
 ### TLS
 
 To enable client authentication with TLS set the `certificateAuthorityArns` property to reference your ACM Private CA. [More info on Private CAs.](https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html)
@@ -151,6 +149,37 @@ const cluster = new msk.Cluster(this, 'cluster', {
 });
 ```
 
+
+### SASL/IAM + TLS
+
+Enable client authentication with [IAM](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html) 
+as well as enable client authentication with TLS by setting the `certificateAuthorityArns` property to reference your ACM Private CA. [More info on Private CAs.](https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html)
+
+```ts
+import * as acmpca from '@aws-cdk/aws-acmpca';
+
+declare const vpc: ec2.Vpc;
+const cluster = new msk.Cluster(this, 'Cluster', {
+  clusterName: 'myCluster',
+  kafkaVersion: msk.KafkaVersion.V2_8_1,
+  vpc,
+  encryptionInTransit: {
+    clientBroker: msk.ClientBrokerEncryption.TLS,
+  },
+  clientAuthentication: msk.ClientAuthentication.saslTls({
+    iam: true,
+    certificateAuthorities: [
+      acmpca.CertificateAuthority.fromCertificateAuthorityArn(
+        this,
+        'CertificateAuthority',
+        'arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111',
+      ),
+    ],
+  }),
+});
+```
+
+
 ## Logging
 
 You can deliver Apache Kafka broker logs to one or more of the following destination types:

diff --git a/packages/@aws-cdk/aws-msk/lib/cluster.ts b/packages/@aws-cdk/aws-msk/lib/cluster.ts
@@ -343,6 +343,11 @@ export interface TlsAuthProps {
   readonly certificateAuthorities?: acmpca.ICertificateAuthority[];
 }
 
+/**
+ * SASL + TLS authentication properties
+ */
+export interface SaslTlsAuthProps extends SaslAuthProps, TlsAuthProps { }
+
 /**
  * Configuration properties for client authentication.
  */
@@ -361,6 +366,13 @@ export class ClientAuthentication {
     return new ClientAuthentication(undefined, props);
   }
 
+  /**
+   * SASL + TLS authentication
+   */
+  public static saslTls(saslTlsProps: SaslTlsAuthProps): ClientAuthentication {
+    return new ClientAuthentication(saslTlsProps, saslTlsProps);
+  }
+
   /**
    * @param saslProps - properties for SASL authentication
    * @param tlsProps - properties for TLS authentication
@@ -616,6 +628,16 @@ export class Cluster extends ClusterBase {
       clientAuthentication = {
         sasl: { iam: { enabled: props.clientAuthentication.saslProps.iam } },
       };
+      if (props.clientAuthentication?.tlsProps) {
+        clientAuthentication = {
+          sasl: { iam: { enabled: props.clientAuthentication.saslProps.iam } },
+          tls: {
+            certificateAuthorityArnList: props.clientAuthentication?.tlsProps?.certificateAuthorities?.map(
+              (ca) => ca.certificateAuthorityArn,
+            ),
+          },
+        };
+      }
     } else if (props.clientAuthentication?.saslProps?.scram) {
       clientAuthentication = {
         sasl: {