There are two separate systems of ScyllaDB Cloud users:
ScyllaDB Cloud User - used to login to cloud.scylladb.com. Can manage clusters (create, delete, scale out), use monitoring, billing information. Scylla Cloud users are acting as Scylla Database administrators.
ScyllaDB Database User - used to login to a ScyllaDB cluster. Can access the data in the DB.
The two systems are separated and isolated from each other. Once a ScyllaDB Cloud User creates a cluster, a default ScyllaDB Database User is created as a superuser. As the account administrator, you can request support to add more users.
This ScyllaDB Database superuser can create and manage other ScyllaDB Database roles and users using the CQL API.
Secure your data and make sure all traffic between ScyllaDB’s cluster and the application layer is done via a private network and never traverses the public internet. AWS encrypts all data transferred on VPC peering by default. More on VPC Peering.
When launching a cluster, you are asked to list the IP ranges (CIDR) which will connect to the cluster. Choose the minimal ranges as possible, and add ranges only when required.
When using BYOA, it is recommended to have a dedicated AWS sub-account for ScyllaDB Cloud by using AWS Organizations and following the procedure using this dedicated account. This will give you better control and visibility of Scylla Cloud permissions and actions.
Role-Based Access Control (RBAC), a method of reducing lists of authorized users to a few roles assigned to multiple users. RBAC is sometimes referred to as role-based security. It is recommended to:
Set roles per keyspace/table.
Use the principle of least privilege per keyspace/table. Start by granting no permissions to all roles, then grant read access only to roles who need it, write access to roles who need to write, etc. It’s better to have more roles, each with fewer permissions.
It is recommended to rotate the ScyllaDB database user passwords or user/passwords periodically. One way to do it is to create a new user/password, switch to it, and only then remove or update the old user’s password. Note not to break the connectivity with your running apps in the process.