Scylla Documentation Logo Documentation
  • Server
    • Scylla Open Source
    • Scylla Enterprise
    • Scylla Alternator
  • Cloud
    • Scylla Cloud
    • Scylla Cloud Docs
  • Tools
    • Scylla Manager
    • Scylla Monitoring Stack
    • Scylla Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
Download
Menu
Scylla Cloud Scylla Cloud Security Scylla Cloud Security Best Practice

Scylla Cloud Security Best Practice¶

There are two separated systems of Scylla Cloud users:

  • Scylla Cloud User - used to login to cloud.scylladb.com. Can manage clusters (create, delete, scale out), use monitoring, billing information. Scylla Cloud users are acting as Scylla Database administrators.

  • Scylla Database User - the one used to login to a Scylla Cluster. Can access the data in the DB

The two systems are separated and isolated from each other. Once a Scylla Cloud User creates a cluster, a default Scylla Database User is created as a superuser. As the account administrator, you can request support to add more users.

This Scylla Database super-user can create and manage other Scylla Database roles and users using the CQL API.

Security Recommendations for Scylla Cloud User¶

Use VPC peering¶

Secure your data and make sure all traffic between Scylla’s cluster and the application layer is done via a private network and never traverses the public internet. AWS encrypts all data transferred on VPC peering by default. More on VPC Peering

Minimal IP whitelist¶

When launching a cluster, you are asked to list the IP ranges (CIDR) which will connect to the cluster. Choose the minimal ranges as possible, and add ranges only when required

Bring Your Own Account (BYOA)¶

When using BYOA, it is recommended to have a dedicated AWS sub-account for Scylla Cloud by using AWS Organizations and following the procedure using this dedicated account. This will give you better control and visibility of Scylla Cloud permissions and actions.

Security Recommendations for Scylla Database User¶

Role Based Access¶

Role-Based Access Control (RBAC), a method of reducing lists of authorized users to a few roles assigned to multiple users. RBAC is sometimes referred to as role-based security. It is recommended to: Set roles per keyspace/table. Use the principle of least privilege per keyspace/table. Start by granting no permissions to all roles, then grant read access only to roles who need it, write access to roles who need to write, etc. It’s better to have more roles, each with fewer permissions.

Password policy¶

It is recommended to rotate the Scylla database user passwords or user/passwords periodically. One way to do it is to create a new user/password, switch to it, and only then remove or update the old user’s password. Note not to break the connectivity with your running apps in the process.

PREVIOUS
Scylla Cloud Security
NEXT
Scylla Cloud Compliance
  • About Scylla Cloud
  • Getting Started
    • Get Started with Scylla Cloud on AWS
      • Quick Start Guide to ScyllaDB Cloud on AWS
      • Deploy Scylla Cloud with Bring Your Own Account
      • Extract Cluster Metrics in Prometheus Format
      • Virtual Private Network (VPC) Peering Setup Guide
      • Run Managed Scylla Cloud Clusters on AWS Outposts
    • Get Started with Scylla Cloud on GCP
      • Quick Start Guide to ScyllaDB Cloud on GCP
      • VCP Peering Setup Guide
      • Extract Cluster Metrics in Prometheus format
    • ScyllaDB Cloud Best Practices
    • ScyllaDB Cloud Deployment Alternatives
    • ScyllaDB Cloud Sizing and Autoscale
    • Scylla Cloud Backups
    • Managing ScyllaDB Versions
    • Support, Alerts, and SLA Commitments
    • Costs
  • Using ScyllaDB
    • Apache Cassandra Query Language (CQL)
    • Scylla Drivers
    • Tracing
    • Role Based Access Control (RBAC)
    • Scylla Integrations
  • Scylla Cloud Security
    • Scylla Cloud Security Best Practice
    • Scylla Cloud Compliance
    • Scylla Cloud Security Concepts
  • Scylla Cloud Evaluation
  • Tutorials
  • Getting Help
    • ScyllaDB Cloud FAQ
  • Create an issue
  • Edit this page

On this page

  • Scylla Cloud Security Best Practice
    • Security Recommendations for Scylla Cloud User
      • Use VPC peering
      • Minimal IP whitelist
      • Bring Your Own Account (BYOA)
    • Security Recommendations for Scylla Database User
      • Role Based Access
      • Password policy
Logo
Docs Contact Us About Us
Mail List Icon Slack Icon
© 2022, ScyllaDB. All rights reserved.
Last updated on 13 May 2022.
Powered by Sphinx 4.3.2 & ScyllaDB Theme 1.2.1