Cross account access in Amazon MSK.

Yes, it is possible for services from other AWS accounts, such as Amazon SQS (Simple Queue Service) or Amazon Kinesis, to access Amazon Managed Streaming for Apache Kafka (MSK) located in a different AWS account. This can be achieved by configuring cross-account access using AWS Identity and Access Management (IAM) roles and policies, along with Amazon MSK resource-based policies.

Here’s how you can enable this:

1. Resource-Based Policies for Amazon MSK: Amazon MSK supports resource-based policies that you can attach directly to your MSK cluster. These policies can specify permissions for other AWS accounts, allowing them to access your MSK cluster.

2. IAM Roles for Cross-Account Access: Create IAM roles in the account that owns the MSK cluster and specify permissions that allow actions from the services in the other account. For instance, you might allow actions from Amazon SQS or Kinesis.

3. Trust Relationships: Establish trust relationships between the IAM roles across different accounts. This means setting up the role in the account owning the MSK cluster to trust the account that has accessing services like SQS or Kinesis.

4. Security Configuration: Ensure that network connectivity is properly set up between accounts, typically involving VPC peering, AWS Transit Gateway, or using private links. Additionally, configure your MSK cluster’s security settings to allow connections from the required network.

5. Testing and Monitoring: After setting up cross-account access, it's important to test the configurations to ensure that everything works as intended. Monitoring the access and usage of the MSK cluster can also help maintain security and performance.

https://docs.aws.amazon.com/msk/latest/developerguide/mvpc-cross-account-permissions.html