Study Confluent CCAAK TLS, SASL, and ACLs: key concepts, common traps, and exam decision cues.
On this page
This lesson is high yield because Kafka security questions often look similar until you separate the control layers. The exam expects you to know which control keeps data private, which control verifies identity, and which control limits actions.
Security-boundary chooser
If the question is really about…
Strongest first focus
encryption in transit
TLS
who is connecting
SASL or equivalent authentication path
what that principal can do
ACLs
safer permissions
least privilege
What the exam is really testing
If the scenario shows…
Strong reading
certificate or trust issue
encryption path is under test
login or principal mismatch
authentication path is under test
denied operation after successful auth
authorization boundary is under test
overly broad access
least-privilege design is under test
Common traps
Trap
Better rule
treating TLS as the same thing as authentication
encryption and identity are separate layers
widening ACLs before confirming the principal is even authenticating correctly
solve the failing boundary first
giving broad rights to make the error disappear
CCAAK rewards narrower safer control
Decision order that usually wins
Separate privacy, identity, and authorization before picking a control.
If the connection is not trusted or encrypted, think TLS first.
If the principal is wrong or missing, think authentication before ACL tuning.
If authentication succeeds but the action is denied, stay in the authorization lane and preserve least privilege.