AWS Lambda now supports mutual TLS authentication for Amazon MSK and self managed Kafka as an event source. Customers now have the option to provide a client certificate to establish a trust relationship between AWS Lambda and Amazon MSK or self managed Kafka brokers that are configured as event sources. Lambda will support self-signed server certificates or server certificates signed by a private CA for self-managed Kafka event sources by letting customers provide a root CA certificate which allows our pollers to trust their Kafka brokers. Support for self-signed server certificates is not required for MSK event sources because all MSK brokers use public certificates signed by Amazon Trust Services CAs, which Lambda trusts by default.
Source:: Amazon AWS