AWS managed policies for Amazon Keyspaces - Amazon Keyspaces (for Apache Cassandra)

AWS managed policies for Amazon Keyspaces

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AmazonKeyspacesReadOnlyAccess

You can attach the AmazonKeyspacesReadOnlyAccess policy to your IAM identities.

This policy grants read-only access to Amazon Keyspaces.

Permissions details

This policy includes the following permissions.

  • Amazon Keyspaces – Provides read-only access to Amazon Keyspaces.

  • Application Auto Scaling – Allows principals to view configurations from Application Auto Scaling. This is required so that users can view automatic scaling policies that are attached to a table.

  • CloudWatch – Allows principals to view alarms configured in CloudWatch. This is required so users can view CloudWatch alarms that have been configured for a table.

  • AWS KMS – Allows principals to view keys configured in AWS KMS. This is required so users can view AWS KMS keys that they create and manage in their account to confirm that the key assigned to Amazon Keyspaces is a symmetric key that is enabled.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cassandra:Select" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "cloudwatch:DescribeAlarms", "kms:DescribeKey", "kms:ListAliases" ], "Resource": "*" } ] }

AWS managed policy: AmazonKeyspacesFullAccess

You can attach the AmazonKeyspacesFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow your administrators unrestricted access to Amazon Keyspaces.

Permissions details

This policy includes the following permissions.

  • Amazon Keyspaces – Allows principles to access any Amazon Keyspaces resource and perform all actions.

  • Application Auto Scaling – Allows principals to create, view, and delete automatic scaling policies for Amazon Keyspaces tables. This is required so that administrators can manage automatic scaling policies for Amazon Keyspaces tables.

  • CloudWatch – Allows principals to create, view, and delete CloudWatch alarms for Amazon Keyspaces automatic scaling policies. This is required so that administrators can create a CloudWatch dashboard.

  • IAM – Allows Amazon Keyspaces to create a service-linked role with IAM automatically when an administrator enables Application Auto Scaling for a table. This is required so that Amazon Keyspaces can perform automatic scaling actions on your behalf.

  • AWS KMS – Allows principals to view keys configured in AWS KMS. This is required so that users can view AWS KMS keys that they create and manage in their account to confirm that the key assigned to Amazon Keyspaces is a symmetric key that is enabled.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cassandra:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScheduledAction", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "kms:DescribeKey", "kms:ListAliases" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/cassandra.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_CassandraTable", "Condition": { "StringLike": { "iam:AWSServiceName": "cassandra.application-autoscaling.amazonaws.com" } } } ] }

Amazon Keyspaces updates to AWS managed policies

View details about updates to AWS managed policies for Amazon Keyspaces since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history for Amazon Keyspaces (for Apache Cassandra) page.

Change Description Date

AmazonKeyspacesReadOnlyAccess – Update to an existing policy

Amazon Keyspaces added new permissions to allow users to view AWS KMS keys that have been configured for Amazon Keyspaces encryption at rest.

Amazon Keyspaces encryption at rest integrates with AWS KMS for protecting and managing the encryption keys used to encrypt data at rest. To view the AWS KMS key configured for Amazon Keyspaces, read-only permissions have been added.

06/01/2021

AmazonKeyspacesFullAccess – Update to an existing policy

Amazon Keyspaces added new permissions to allow users to view AWS KMS keys that have been configured for Amazon Keyspaces encryption at rest.

Amazon Keyspaces encryption at rest integrates with AWS KMS for protecting and managing the encryption keys used to encrypt data at rest. To view the AWS KMS key configured for Amazon Keyspaces, read-only permissions have been added.

06/01/2021

Amazon Keyspaces started tracking changes

Amazon Keyspaces started tracking changes for its AWS managed policies.

June 1, 2021