ScyllaDB Docs ScyllaDB Cloud Deployment Deploy ScyllaDB to Your Own Cloud Account - AWS

Deploy ScyllaDB to Your Own Cloud Account - AWS¶

Available with the Professional plan and above

When you select Amazon Web Services as your cloud provider when creating a cluster, your cluster is deployed by default under the ScyllaDB AWS account. As an alternative, you can deploy the ScyllaDB database into your own AWS account—we refer to it as Bring Your Own Account (BYOA).

When using BYOA for AWS, it is recommended to have a dedicated AWS sub-account for ScyllaDB Cloud by using AWS Organizations and following the procedure using that dedicated account. This will give you better control and visibility of ScyllaDB Cloud permissions and actions.

This article will guide you through the process of integrating your AWS account with ScyllaDB Cloud.

Caution

ScyllaDB Cloud creates resources within your account and assumes exclusive management of those resources.

If you modify any infrastructure components managed by ScyllaDB Cloud, we cannot guarantee that the service will continue to operate as expected. This includes modifications to security groups, permissions associated with the ScyllaDB role, or other restrictions that could disrupt ScyllaDB Cloud’s ability to manage the necessary resources. Such changes may affect our ability to uphold service commitments within your account.

To avoid service disruptions, please consult our support team before making any changes to ScyllaDB-managed resources.

Prerequisites¶

Verify that the recommended limits are set for your AWS account. See:

AWS Account Limits
AWS Credentials

Linking Your AWS Account to ScyllaDB Cloud¶

Before you provision a cluster in your AWS account, you must link that account with ScyllaDB Cloud. You can link multiple AWS accounts with one ScyllaDB Cloud account.

To link your AWS account with ScyllaDB Cloud, you need to run a pre-configured CloudFormation Stack that will provision a user with all necessary permissions.

Note

We recommend that you add one role per each AWS cluster you want to link. This will help you achieve better accountability.

Go to Managed Resources via the drop-down in the top right corner next to your username.
Open the Bring Your Own Account tab.
Click Add Account to open the Add Cloud Account pop-up.
Choose your Amazon Web Services from the Provider drop-down.
Click Launch Stack to open a pre-filled CloudFormation form.
Complete the form and select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox at the bottom of the page to confirm you understand that CloudFormation might create IAM resources, like roles, users, or policies, and assign custom names to those resources.
Click Create stack at the bottom of the page.
When the stack creation process is completed, return to the ScyllaDB Cloud page. The Launch Stack button will be greyed out.
Click Verify to verify that your AWS account has been set up correctly.
(Optional) While waiting for verification to complete, you can add a custom alias for your account. A user-friendly identifier is helpful if your ScyllaDB account is connected to multiple AWS accounts to clearly identify and manage each account.

Once CloudFormation completes successfully and access is verified, your AWS account is ready to be used for the deployment of ScyllaDB clusters. When you select the Your AWS Account option during cluster creation, the new account will be available in the drop-down (either the alias, if provided, or the Account name will be displayed).

To add another AWS account, repeat the steps above. You can link multiple AWS accounts to one ScyllaDB Cloud account.

Reviewing and Managing Your Accounts¶

To review the list of your accounts linked with ScyllaDB Cloud, go to Managed Resources via the drop-down and open the Bring Your Own Account tab.

It will display the following information:

Alias - A user-friendly name for your account that simplifies referencing and management. To add or update an alias, click the Actions menu for the account and choose Edit Alias.
Account/Project - The name of your AWS account or GCP Project.
ID - The ID of your account in ScyllaDB Cloud (byoa_id). It is required to create a cluster using ScyllaDB Cloud API or Terraform.
Provider - Your cloud provider name.
Date Added - The date when the account was added to ScyllaDB Cloud.
Status - The status of the account in ScyllaDB Cloud:
- Available - The account is added to ScyllaDB Cloud and verified. You can use it when creating a new cluster.
- Pending Action - The account has not been provisioned. You can click Resume to finalize your account.
- In Use - The account is in use by an existing cluster. You can click the Cluster Name link next to the status to view the information about the cluster.
- Deleted - The account has been deleted and cannot be re-used.
Clusters - The list of clusters deployed under this account.
Actions - An actions menu for managing the account. It includes options to delete the account or create an alias for it.

Deleting an Account¶

You can delete an account that is not in use. To delete your account:

Go to Managed Resources via the drop-down and open the Bring Your Own Account tab.
Click the Actions menu for the account you want to delete.
Choose Delete.

This will remove any information associated with that account from ScyllaDB Cloud. Consequently, you won’t be able to use that account to provision new clusters.

Next, you can remove ScyllaDB Cloud resources from your AWS account or GCP project by clicking the Clean Up button displayed for the account you deleted.

AWS Account Limits¶

To ensure that you don’t exceed your AWS account quota, we suggest setting a specific quota for the resources that ScyllaDB Cloud will use. These quotas should be adjusted for each region where you intend to operate. Please note that the recommended limits should be considered in addition to your current resource allocation.

Use AWS Service Quotas to increase the following resources limits:

Service Name	Additional Requested Value	Quota Name
Amazon Virtual Private Cloud (Amazon VPC)	50	VPCs per region
Amazon Virtual Private Cloud (Amazon VPC)	96	Inbound or outbound rules per security group
Amazon Elastic Compute Cloud (Amazon EC2)	20	EC2-VPC Elastic IPs
Amazon Elastic Compute Cloud (Amazon EC2)	1000 (see note)	Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances
Amazon Simple Storage Service (Amazon S3)	50	Buckets
AWS CloudFormation	100	Stack count

Note

You can use this helper script to quickly list relevant quotas for your account.

Note

1000 doesn’t represent the limit for the number of instances, but the limit for vCPUs. Any launched instance of any of the listed instance types (A, C, D, H, I, M, R, T, Z) contributes its vCPU count towards this quota. See more in this AWS blog.

AWS BYOA Role Permissions¶

This section lists the permissions that ScyllaDB Cloud role requires to deploy and manage your clusters in your AWS account.

AWS Identity and Access Management (IAM)

Category	Permision
Roles	iam:GetRole iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListGroupsForUser iam:ListRolePolicies iam:GetRolePolicy iam:GetUserPolicy iam:ListUserPolicies iam:GetLoginProfile iam:ListEntitiesForPolicy iam:CreateRole iam:DeleteRole iam:TagRole iam:PassRole iam:ListRoles iam:ListRoleTags
Policies	iam:GetPolicy iam:GetPolicyVersion iam:AttachRolePolicy iam:DetachRolePolicy iam:ListAttachedRolePolicies iam:SetDefaultPolicyVersion iam:DeletePolicyVersion iam:ListPolicyVersions iam:DeletePolicy iam:CreatePolicyVersion iam:CreatePolicy iam:TagPolicy
Instance Profiles	iam:CreateInstanceProfile iam:GetInstanceProfile iam:DeleteInstanceProfile iam:RemoveRoleFromInstanceProfile iam:AddRoleToInstanceProfile iam:TagInstanceProfile iam:AssociateIamInstanceProfile iam:DisassociateIamInstanceProfile iam:ListInstanceProfiles

Amazon Elastic Compute Cloud (EC2)

Category	Permision
Instances	ec2:RunInstances ec2:TerminateInstances ec2:StartInstances ec2:StopInstances ec2:RebootInstances ec2:GetConsoleOutput ec2:ModifyInstanceAttribute ec2:AssociateIamInstanceProfile ec2:DisassociateIamInstanceProfile ec2:CreatePlacementGroup ec2:DeletePlacementGroup ec2:Describe*
Networking	ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:ModifyNetworkInterfaceAttribute ec2:AttachNetworkInterface ec2:DetachNetworkInterface
Storage	ec2:CreateVolume ec2:ModifyVolume ec2:AttachVolume ec2:DetachVolume ec2:DeleteVolume
Security Groups	ec2:CreateSecurityGroup ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:RevokeSecurityGroupEgress ec2:DeleteSecurityGroup
Key Pairs	ec2:CreateKeyPair ec2:ImportKeyPair ec2:DeleteKeyPair
VPC	ec2:CreateVpc ec2:DeleteVpc ec2:ModifyVpcAttribute ec2:CreateVpcPeeringConnection ec2:AcceptVpcPeeringConnection ec2:DeleteVpcPeeringConnection ec2:AssociateRouteTable ec2:CreateInternetGateway ec2:AttachInternetGateway ec2:DetachInternetGateway ec2:DeleteInternetGateway ec2:CreateRoute ec2:DeleteRoute ec2:ReplaceRoute ec2:CreateRouteTable ec2:DeleteRouteTable ec2:DisassociateRouteTable ec2:CreateSubnet ec2:DeleteSubnet ec2:ModifySubnetAttribute ec2:CreateVpcEndpoint ec2:DeleteVpcEndpoints ec2:CreateTransitGatewayVpcAttachment ec2:DeleteTransitGatewayVpcAttachment ec2:DescribeTransitGatewayVpcAttachments ec2:DescribeTransitGateways
Elastic IP	ec2:AllocateAddress ec2:AssociateAddress ec2:DisassociateAddress ec2:ReleaseAddress
Tags	ec2:CreateTags ec2:DeleteTags

Amazon Simple Storage Service (S3)

Category	Permision
Buckets	s3:CreateBucket s3:DeleteBucket s3:ListBucket s3:PutBucketTagging
Objects	s3:GetObject s3:GetObjectVersion s3:PutObject s3:DeleteObject

AWS CloudFormation

Category	Permision
Stacks	cloudformation:CreateStack cloudformation:DeleteStack cloudformation:Describe* cloudformation:DetectStackDrift cloudformation:DetectStackResourceDrift cloudformation:GetStackPolicy cloudformation:SetStackPolicy cloudformation:ListStackResources cloudformation:CreateChangeSet cloudformation:UpdateTerminationProtection cloudformation:ValidateTemplate

AWS Lambda

Category	Permision
Functions	lambda:GetFunction

AWS Security Token Service (STS)

Category	Permision
Security	sts:AssumeRole sts:DecodeAuthorizationMessage

Service Quotas

Category	Permision
Limits	servicequotas:ListServiceQuotas servicequotas:GetServiceQuota servicequotas:GetAWSDefaultServiceQuota

Amazon CloudWatch

Category	Permision
Logs	logs:CreateLogGroup logs:CreateLogStream logs:PutLogEvents

AWS Resource Access Manager (AWS RAM)

Category	Permision
Resource Shares	ram:ListResources ram:GetResourceShares ram:GetResourceShareInvitations ram:AcceptResourceShareInvitation

Was this page helpful?