ScyllaDB University Live | Free Virtual Training Event
Learn more
ScyllaDB Documentation Logo Documentation
  • Server
  • Cloud
  • Tools
    • ScyllaDB Manager
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
  • Resources
    • ScyllaDB University
    • Community Forum
    • Tutorials
Download
ScyllaDB Docs ScyllaDB Cloud ScyllaDB Cloud Security ScyllaDB Cloud Security Best Practices

ScyllaDB Cloud Security Best Practices¶

There are two separate systems of ScyllaDB Cloud users:

  • ScyllaDB Cloud User logs into cloud.scylladb.com. Depending on the assigned role, ScyllaDB Cloud User can manage clusters (create, delete, scale, etc.), access monitoring data, access billing information, and more (see User Roles for details). ScyllaDB Cloud Users act as ScyllaDB Database administrators.

  • ScyllaDB Database User logs in to a ScyllaDB cluster. ScyllaDB Database User can access the data in the DB.

The two systems are separated and isolated from each other. Once a ScyllaDB Cloud User creates a cluster, a default ScyllaDB Database User is created as a superuser. As the account administrator, you can request support to add more users.

This ScyllaDB Database superuser can create and manage other ScyllaDB Database roles and users using the CQL API.

Security Recommendations for ScyllaDB Cloud User¶

Use VPC Peering¶

Secure your data and make sure all traffic between ScyllaDB’s cluster and the application layer is done via a private network and never traverses the public internet. AWS encrypts all data transferred on VPC peering by default. More on VPC Peering.

Minimal IP Whitelist¶

When launching a cluster, you are asked to list the IP ranges (CIDR) which will connect to the cluster. Choose the minimal ranges as possible, and add ranges only when required.

Bring Your Own Account (BYOA)¶

When using BYOA for AWS, it is recommended to have a dedicated AWS sub-account for ScyllaDB Cloud by using AWS Organizations and following the procedure using this dedicated account. This will give you better control and visibility of ScyllaDB Cloud permissions and actions.

Encryption at Rest¶

In ScyllaDB Cloud, your data is encrypted on the storage level by your cloud provider. See Storage-level Encryption . In addition we have database-level encryption at rest. See Database-level Encryption for details.

Security Recommendations for ScyllaDB Database User¶

Role Based Access¶

Role-Based Access Control (RBAC), a method of reducing lists of authorized users to a few roles assigned to multiple users. RBAC is sometimes referred to as role-based security. It is recommended to:

  • Set roles per keyspace/table.

  • Use the principle of least privilege per keyspace/table. Start by granting no permissions to all roles, then grant read access only to roles who need it, write access to roles who need to write, etc. It’s better to have more roles, each with fewer permissions.

Password policy¶

It is recommended to rotate the ScyllaDB database user passwords or user/passwords periodically. One way to do it is to create a new user/password, switch to it, and only then remove or update the old user’s password. Note not to break the connectivity with your running apps in the process.

Was this page helpful?

PREVIOUS
ScyllaDB Cloud Security
NEXT
ScyllaDB Cloud Security Concepts
  • Create an issue

On this page

  • ScyllaDB Cloud Security Best Practices
    • Security Recommendations for ScyllaDB Cloud User
      • Use VPC Peering
      • Minimal IP Whitelist
      • Bring Your Own Account (BYOA)
      • Encryption at Rest
    • Security Recommendations for ScyllaDB Database User
      • Role Based Access
      • Password policy
ScyllaDB Cloud
  • New to ScyllaDB? Start here!
  • Quick Start Guide to ScyllaDB Cloud
  • About ScyllaDB Cloud as a Service
    • Benefits
    • Backups
    • Best Practices
    • Managing ScyllaDB Versions
    • Support, Alerts, and SLA Commitments
    • Costs
  • Deployment
    • Cloud Providers
    • Cluster Types
    • Bring Your Own Account (BYOA) - AWS
    • Bring Your Own Account (BYOA) - GCP
    • Terraform Provider
  • Cluster Connections
    • Configure AWS Transit Gateway (TGW) VPC Attachment Connection
    • Configure Virtual Private Cloud (VPC) Peering with AWS
    • Configure Virtual Private Cloud (VPC) Peering with GCP
    • Migrating Cluster Connection
    • Checking Cluster Availability
    • Glossary for Cluster Connections
  • Access Management
    • SAML Single Sign-On (SSO)
    • User Management
  • Managing Clusters
    • Scaling a Cluster
    • Deleting a Cluster
    • Maintenance Windows
    • Email Notifications
    • Usage
  • Using ScyllaDB
    • Apache Cassandra Query Language (CQL)
    • ScyllaDB Drivers
    • Tracing
    • Role Based Access Control (RBAC)
    • ScyllaDB Integrations
  • Monitoring
    • Monitoring Clusters
    • Extracting Cluster Metrics in Prometheus Format
  • Security
    • Security Best Practices
    • Security Concepts
    • Database-level Encryption
    • Storage-level Encryption
    • Data Privacy and Compliance
  • Free Trial
  • Tutorials
  • API Documentation
    • Create a Personal Token for Authentication
    • Terraform Provider for ScyllaDB Cloud
    • API Reference
    • Error Codes
  • Getting Help
    • ScyllaDB Cloud FAQ
Docs Tutorials University Contact Us About Us
© 2025, ScyllaDB. All rights reserved. | Terms of Service | Privacy Policy | ScyllaDB, and ScyllaDB Cloud, are registered trademarks of ScyllaDB, Inc.
Last updated on 04 Jul 2025.
Powered by Sphinx 7.4.7 & ScyllaDB Theme 1.8.7
Ask AI