# Amazon MSK + Conduktor *MSK handles infrastructure. Conduktor handles the enterprise layer.*

Whether you're using MSK today or migrating to it, Conduktor adds Kafka governance, encryption, and resilience at the protocol level — no application changes required.

[Book a Demo](https://www.conduktor.io/contact/demo)
[Download Solution Brief](https://www.conduktor.io/assets/Conduktor-AWS-MSK-Solution-Brief.pdf)

Trusted by

## MSK solves infrastructure. These challenges live above it.

### Data protection gaps

MSK encrypts data at rest and in transit, but any service with topic access reads the full payload, including PII and financial records.

### Operational governance gaps

MSK provisions brokers, but has no guardrails for topic creation, client configurations, or data quality enforcement.

### Resilience and scale gaps

MSK provides single-region high availability, but multi-region failover and multi-tenancy require solutions above the broker.

## What Changes When You Add Conduktor

- **For Leadership** — Kafka investment scales across business units without multiplying clusters. Multi-region resilience protects revenue without a second operations team.
- **For Platform Teams** — Encryption, access, and data quality enforced once at the gateway instead of rebuilt per project. Client guardrails catch misconfigurations before they cause outages.
- **For Development Teams** — Same Kafka clients, same code, and same workflows with no application changes required. Isolated environments on demand without waiting for dedicated infrastructure.

## How Conduktor Gateway Complements MSK

### Field-level data protection

Encrypt, tokenize, and crypto shred sensitive fields before data reaches MSK brokers, with per-consumer decryption controls and native AWS KMS integration.

### Real-time data quality

Validate every message before it enters MSK, enforcing schema compliance and business rules with the ability to block, route, or flag bad data.

### Client governance

Block unsafe client configurations, detect connection storms, and give operators immediate feedback at the protocol level.

### Cross-network connectivity

Kafka-protocol-aware routing that rewrites broker metadata, giving clients in any topology access to MSK through a single entry point.

### Disaster recovery & resilience testing

Single-command failover that redirects all client traffic in seconds, plus built-in chaos testing to validate resilience without production risk.

### Virtual clusters & infrastructure efficiency

Logically isolated virtual clusters with independent namespaces and access controls, plus S3 payload offloading and caching for broker efficiency.

## Operate MSK at Scale with Console

[Console](https://www.conduktor.io/console) complements your existing AWS tooling to enable [operational efficiency](https://www.conduktor.io/solutions/use-case/operational-efficiency) for Kafka teams.

- [Unified Operations](https://www.conduktor.io/console#simplify-kafka-operations) — Manage topics, schemas, connectors, and consumer groups across all MSK clusters from one interface. Works alongside the AWS Console and CLI.
- [Federated Ownership](https://www.conduktor.io/console#scale-ownership-across-teams) — Developers discover, provision, and own resources within automated guardrails, catalogs, and approval workflows. Adds Kafka-level ownership on top of IAM.
- [Visibility & Troubleshooting](https://www.conduktor.io/console#accelerate-troubleshooting) — Browse and tail messages in production, monitor consumer lag, and route alerts to Slack, Teams, or PagerDuty. Adds application-level visibility alongside CloudWatch.
- [Cost Attribution & Insights](https://www.conduktor.io/console#drive-data-driven-decisions) — Track per-team Kafka usage for chargeback and surface health and risk recommendations across clusters. Complements AWS Cost Explorer with per-team breakdowns.

## Built for the AWS Ecosystem

Conduktor integrates natively with AWS services for authentication, encryption, storage, and deployment, so it fits into your existing infrastructure without additional tooling.

- **MSK IAM Authentication** — Native support for AWS_MSK_IAM SASL mechanism. Conduktor Gateway inherits IAM roles from ECS, EKS, and EC2.
- **AWS KMS** — Field-level encryption keys managed in KMS. IAM policies control which consumers decrypt which fields. CloudTrail logs every operation.
- **Amazon S3** — Large payload offloading via the claim check pattern. Payloads never consume broker storage or network bandwidth.
- **ECS / EKS Deployment** — Deploy Conduktor Gateway as ECS tasks or EKS pods within your VPC. Native container orchestration.
- **AWS Marketplace** — Available on AWS Marketplace for simplified procurement. Streamlines vendor onboarding and purchasing.
- **Glue Schema Registry** — Native support for AWS Glue Schema Registry for validation and evolution.

## Results with Amazon MSK + Conduktor

Based on results reported by Conduktor customers.

- **$500K** — + — First-Year ROI — Consolidation, faster migration, and reduced operational overhead.
- **20-40** — % — Infrastructure Cost Reduction — Virtual clusters and consolidation eliminate cluster sprawl.
- **Up to 95** — % — Faster Disaster Recovery — Single-command failover vs. manual coordination across teams.

## Read more customer stories

- [Smart Farming: 10x Kafka Utilization on AWS](https://www.conduktor.io/customer-stories/accelerating-smart-farming-innovation-with-conduktor-and-amazon-msk)
- [Swiss Post: 5x Kafka Growth](https://www.conduktor.io/customer-stories/how-swiss-post-governs-democratizes-kafka-usage)
- [Virgin Australia Saves 300 Hours/Month](https://www.conduktor.io/customer-stories/virgin-australia-increases-operational-efficiency-and-kafka-adoption-with-conduktor)

## Frequently Asked Questions

**Does Conduktor work with all MSK cluster types?**

Yes. Conduktor connects to MSK Serverless, MSK Provisioned (Standard and Express brokers), and self-managed Kafka on EC2. You can manage all cluster types from a single interface.

**How does Conduktor Gateway work at the protocol level?**

[Conduktor Gateway](https://www.conduktor.io/gateway) speaks the Kafka protocol natively. Applications connect to Conduktor Gateway instead of directly to MSK brokers using the same client libraries, same code, just a different address. Conduktor Gateway intercepts, transforms, and governs traffic without any application code changes.

**How does Conduktor integrate with AWS IAM?**

Conduktor Gateway natively supports the AWS_MSK_IAM SASL mechanism and inherits IAM roles from ECS, EKS, and EC2 through the AWS Default Credentials Provider Chain. No separate credential management required.

**Can Conduktor help with migration to MSK?**

Yes. [Conduktor Gateway](https://www.conduktor.io/gateway) enables zero-downtime migration by sitting between applications and brokers. Switch from one cluster to another with a single command while applications continue running unchanged. This works for migrations from self-managed Kafka or other platforms to MSK.

**Can I use AWS Glue Schema Registry with Conduktor?**

Yes. Conduktor integrates natively with AWS Glue Schema Registry for schema validation, evolution, and compatibility checks across Avro, JSON, and Protobuf data formats.

**Is Conduktor available on AWS Marketplace?**

Yes. Conduktor is available on AWS Marketplace for simplified procurement. Marketplace availability streamlines vendor onboarding and lets you leverage your existing AWS private purchasing agreements.

**How do I deploy Conduktor on AWS?**

Conduktor runs as a Docker container. Deploy [Conduktor Gateway](https://www.conduktor.io/gateway) and [Conduktor Console](https://www.conduktor.io/console) within your VPC on ECS, EKS, Fargate, or EC2 depending on your infrastructure preferences. See [Get Started](https://www.conduktor.io/get-started) for setup guides.

**What does Conduktor Console add beyond CloudWatch monitoring?**

CloudWatch and Prometheus provide infrastructure-level metrics. [Conduktor Console](https://www.conduktor.io/console) adds the operational layer above: which teams own which topics, how resources relate across clusters, self-service provisioning with policy guardrails, approval workflows for cross-team access, and per-team cost attribution. It gives platform teams a single operational layer that scales with the organization.

**How is Conduktor different from Confluent?**

Conduktor is infrastructure-agnostic. It works across MSK, [Confluent](https://www.conduktor.io/partners/confluent), Redpanda, and open-source Kafka. Rather than replacing your Kafka infrastructure, Conduktor adds an enterprise governance layer on top. If you're evaluating MSK as an alternative to Confluent, Conduktor fills the governance gap that MSK wasn't designed to address.

**Can I use Conduktor across multiple Kafka platforms or clouds?**

Yes. Conduktor is designed for multi-cloud and multi-Kafka environments. You can manage MSK alongside Confluent Cloud, Redpanda, Aiven, or self-managed Kafka clusters from a single [Conduktor Console](https://www.conduktor.io/console) instance. [Conduktor Gateway](https://www.conduktor.io/gateway) can front any Kafka-compatible cluster, so your governance policies, encryption rules, and data quality controls apply consistently regardless of which Kafka platform or cloud provider sits underneath. Teams get one consistent interface and one set of policies, even if your infrastructure spans AWS, GCP, and on-prem.

## Running Kafka on AWS?

Whether you're using MSK today or migrating to it, our team can help you design the right governance architecture for your workloads.

[Book a Demo](https://www.conduktor.io/contact/demo) [Download Solution Brief](https://www.conduktor.io/assets/Conduktor-AWS-MSK-Solution-Brief.pdf)