ScyllaDB Docs ScyllaDB Cloud Deployment Deploy ScyllaDB to Your Own Cloud Account - AWS

Deploy ScyllaDB to Your Own Cloud Account - AWS¶

Available with the Professional plan and above

When you select Amazon Web Services as your cloud provider when creating a cluster, your cluster is deployed by default under the ScyllaDB AWS account. As an alternative, you can deploy the ScyllaDB database into your own AWS account—we refer to it as Bring Your Own Account (BYOA).

When using BYOA for AWS, it is recommended to have a dedicated AWS sub-account for ScyllaDB Cloud by using AWS Organizations and following the procedure using that dedicated account. This will give you better control and visibility of ScyllaDB Cloud permissions and actions.

This article will guide you through the process of integrating your AWS account with ScyllaDB Cloud.

Caution

ScyllaDB Cloud creates resources within your account and assumes exclusive management of those resources.

If you modify any infrastructure components managed by ScyllaDB Cloud, we cannot guarantee that the service will continue to operate as expected. This includes modifications to security groups, permissions associated with the ScyllaDB role, or other restrictions that could disrupt ScyllaDB Cloud’s ability to manage the necessary resources. Such changes may affect our ability to uphold service commitments within your account.

To avoid service disruptions, please consult our support team before making any changes to ScyllaDB-managed resources.

Prerequisites¶

Verify that the recommended limits are set for your AWS account. See:

AWS Account Limits
AWS Credentials

Linking Your AWS Account to ScyllaDB Cloud¶

Before you provision a cluster in your AWS account, you must link that account with ScyllaDB Cloud.

To link your AWS account with ScyllaDB Cloud, you need to run a pre-configured CloudFormation Stack that will provision a user with all necessary permissions.

Note

We recommend that you add one role per each AWS cluster you want to link. This will help you achieve better accountability.

Go to Managed Resources via the drop-down in the top right corner next to your username.
Open the Bring Your Own Account tab.
Click Add Account to open the Add Cloud Account pop-up.
Choose your Amazon Web Services from the Provider drop-down.
Click Launch Stack to open a pre-filled CloudFormation form.
Complete the form and select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox at the bottom of the page to confirm you understand that CloudFormation might create IAM resources, like roles, users, or policies, and assign custom names to those resources.
Click Create stack at the bottom of the page.
When the stack creation proces is completed, return to the ScyllaDB Cloud page. The Launch Stack button will be greyed out.
Click Verify to verify that your AWS account has been set up correctly.

Once verified successfully, your AWS account is ready to be used for the deployment of ScyllaDB clusters. When you select the Your AWS Account option during cluster creation, the new account will be displayed in the drop-down.

Reviewing and Managing Your Accounts¶

To review the list of your accounts linked with ScyllaDB Cloud, go to Managed Resources via the drop-down and open the Bring Your Own Account tab.

It will display the following information:

Account Name - The name of your account.
Provider - Your cloud provider name.
Date Added - The date when the account was added to ScyllaDB Cloud.
Status - The status of the account in ScyllaDB Cloud:
- Available - The account is added to ScyllaDB Cloud and verified. You can use it when creating a new cluster.
- Pending Action - The account has not been provisioned. You can click Resume to finalize your account.
- In Use - The account is in use by an existing cluster. You can click the Cluster Name link next to the status to view the information about the cluster.
- Deleted - The account has been deleted and cannot be re-used.

You can use the trash icon to delete any account that is not in use.

AWS Account Limits¶

To ensure that you don’t exceed your AWS account quota, we suggest setting a specific quota for the resources that ScyllaDB Cloud will use. These quotas should be adjusted for each region where you intend to operate. Please note that the recommended limits should be considered in addition to your current resource allocation.

Use AWS Service Quotas to increase the following resources limits:

Service Name	Additional Requested Value	Quota Name
Amazon Virtual Private Cloud (Amazon VPC)	50	VPCs per region
Amazon Virtual Private Cloud (Amazon VPC)	96	Inbound or outbound rules per security group
Amazon Elastic Compute Cloud (Amazon EC2)	20	EC2-VPC Elastic IPs
Amazon Elastic Compute Cloud (Amazon EC2)	1000 (see note)	Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances
Amazon Simple Storage Service (Amazon S3)	50	Buckets
AWS CloudFormation	100	Stack count

Note

You can use this helper script to quickly list relevant quotas for your account.

Note

1000 doesn’t represent the limit for the number of instances, but the limit for vCPUs. Any launched instance of any of the listed instance types (A, C, D, H, I, M, R, T, Z) contributes its vCPU count towards this quota. See more in this AWS blog.

AWS BYOA Role Permissions¶

This section lists the permissions that ScyllaDB Cloud role requires to deploy and manage your clusters in your AWS account.

AWS Identity and Access Management (IAM)

Category	Permision
Roles	iam:GetRole iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListGroupsForUser iam:ListRolePolicies iam:GetRolePolicy iam:GetUserPolicy iam:ListUserPolicies iam:GetLoginProfile iam:ListEntitiesForPolicy iam:CreateRole iam:DeleteRole iam:TagRole iam:PassRole
Policies	iam:GetPolicy iam:GetPolicyVersion iam:ListAttachedRolePolicies iam:SetDefaultPolicyVersion iam:DeletePolicyVersion iam:DeletePolicy iam:CreatePolicyVersion iam:CreatePolicy iam:TagPolicy
Instance Profiles	iam:CreateInstanceProfile iam:GetInstanceProfile iam:DeleteInstanceProfile iam:RemoveRoleFromInstanceProfile iam:AddRoleToInstanceProfile iam:TagInstanceProfile

Amazon Elastic Compute Cloud (EC2)

Category	Permision
Instances	ec2:RunInstances ec2:TerminateInstance ec2:StartInstances ec2:StopInstances ec2:RebootInstances ec2:GetConsoleOutput ec2:ModifyInstanceAttribute ec2:AssociateIamInstanceProfile ec2:DisassociateIamInstanceProfile
Networking	ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:ModifyNetworkInterfaceAttribute ec2:AttachNetworkInterface ec2:DetachNetworkInterface
Storage	ec2:CreateVolume ec2:ModifyVolume ec2:AttachVolume ec2:DetachVolume ec2:DeleteVolume
Security Groups	ec2:CreateSecurityGroup ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:RevokeSecurityGroupEgress ec2:DeleteSecurityGroup
VPC	ec2:CreateVpc ec2:DeleteVpc ec2:ModifyVpcAttribute ec2:CreateVpcPeeringConnection ec2:AcceptVpcPeeringConnection ec2:DeleteVpcPeeringConnection
Elastic IP	ec2:AllocateAddress ec2:AssociateAddress ec2:DisassociateAddress ec2:ReleaseAddress
Tags	ec2:CreateTags ec2:DeleteTags

Amazon Simple Storage Service (S3)

Category	Permision
Buckets	s3:CreateBucket s3:DeleteBucket s3:ListBucke s3:PutBucketTagging
Objects	s3:GetObjectt s3:GetObjectVersion s3:PutObject s3:DeleteObject

AWS CloudFormation