The following describes Scylla Cloud security mechanism at a high level.
Scylla Cloud security is built on four principles:
Principle of Least Privilege
The following section will describe how these principles are used across different aspects of Scylla Cloud. Everything below refers to both BYOA and Scylla Account, unless explicitly stated otherwise.
Control Plane: Scylla Cloud Backend, a collection of services and servers that manage Scylla Cloud users, Scylla Cloud application (site), manage and monitor all the Scylla Database Clusters.
Scylla Cluster: Scylla Enterprise Servers, running in either Scylla Account or, in case of BYOA, in the Customer Account.
Each Scylla Cluster is running on a dedicated, isolated environment, including:
Dedicated VMs for Scylla Database
Dedicated VMs for Scylla Monitoring and Scylla Manager servers
The diagrams below describe the topology of a managed Scylla cloud cluster, in Scylla Account or Customer Account (BYOA)
There is no access from one cluster to another
Customer data is limited to the Scylla Cluster. The Control Plane does not store, query, or access the Customer Data.
The Control Plane access to Scylla Clusters is limited to:
Monitoring information (metrics)
Operations, like add node, upgrade etc
Each cluster manage its own S3 backup bucket per DC (region)
All access points between elements are closed by default. Relevant connections and API are explicitly enabled.
Scylla Database users can only access their Scylla DB over CQL or REST API (Alternator)
Users can not login to Scylla nodes, Monitoring, or Manager servers; enforced using IP/port whitelist.
Scylla Monitoring can only access Scylla DB servers monitoring and log collection APIs; enforce using IP/port whitelist.
Scylla Manager can only access Scylla DB servers Manager Agent API; enforced using IP/port whitelist.
Access backup, stored on S3 (AWS) and Cloud Storage (GCP), is limited to the Scylla cluster instances```
Scylla Cloud team access to the system is:
Limited to a minimal subset of Scylla Support engineered
Only does via tools / scripts
The above is valid to both Scylla DB Clusters and Control Plan. In particular, direct access to the Database servers is done as a last resort.
The following channels are encrypted:
Scylla Node to Node between regions - All data flowing across AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. All traffic between AZs is encrypted.
Scylla Client to Node - inside AWS, encrypted by default by AWS (see above). Scylla-managed Encryption at transit is optional.
Scylla Cluster uses NVMe to store information. The data on NVMe instance storage is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance. The encryption keys are managed by EC2 and generated using the hardware module and are unique to each NVMe instance storage device.
Scylla Cluster uses SSD to store information. Compute Engine automatically encrypts your data when it is written to local SSD storage space