Using Amazon Keyspaces (for Apache Cassandra) with Interface VPC Endpoints - Amazon Keyspaces (for Apache Cassandra)

Using Amazon Keyspaces (for Apache Cassandra) with Interface VPC Endpoints

Interface VPC endpoints enable private communication between your virtual private cloud (VPC) running in Amazon VPC and Amazon Keyspaces. Interface VPC endpoints are powered by AWS PrivateLink, which is an AWS service that enables private communication between VPCs and AWS services. AWS PrivateLink enables this by using an elastic network interface with private IPs in your VPC so that network traffic does not leave the Amazon network. Interface VPC endpoints don't require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. For more information, see Amazon Virtual Private Cloud and Interface VPC Endpoints (AWS PrivateLink).

Using Interface VPC Endpoints for Amazon Keyspaces

You can create an interface VPC endpoint so that traffic between Amazon Keyspaces and your Amazon VPC resources starts flowing through the interface VPC endpoint. To get started, follow the steps to create an interface endpoint. Next, edit the security group associated with the endpoint that you created in the previous step, and configure an inbound rule for port 9142. For more information, see Adding, Removing, and Updating Rules.

Controlling Access to Interface VPC Endpoints for Amazon Keyspaces

VPC endpoint policies enable you to control access to resources in two ways:

  • IAM policy – You can control the requests, users, or groups that are allowed to access Amazon Keyspaces through a specific VPC endpoint. You can do this by using a condition key in the policy that is attached to an IAM user, group, or role.

  • VPC policy – You can control which VPC endpoints have access to your Amazon Keyspaces resources by attaching policies to them. To restrict access to a specific keyspace or table to only allow traffic coming through a specific VPC endpoint, edit the existing IAM policy that restricts resource access and add that VPC endpoint.

The following are example endpoint policies for accessing Amazon Keyspaces resources.

  • IAM policy example: Restrict all access to a specific Amazon Keyspaces table unless traffic comes from the specified VPC endpoint – This sample policy can be attached to an IAM user, role, or group. It restricts access to a specified Amazon Keyspaces table unless incoming traffic originates from a specified VPC endpoint.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "UserOrRolePolicyToDenyAccess", "Action": "cassandra:*", "Effect": "Deny", "Resource": [ "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable", "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*" ] "Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-abc123" } } } ] }
    Note

    To restrict access to a specific table, you must also inlcude access to the system tables. System tables are read-only.

  • VPC policy example: Read-only access – This sample policy can be attached to a VPC endpoint. (For more information, see Controlling Access to Amazon VPC Resources). It restricts actions to read-only access to Amazon Keyspaces resources through the VPC endpoint it's attached to.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnly", "Principal": "*", "Action": [ "cassandra:Select" ], "Effect": "Allow", "Resource": "*" } ] }
  • VPC policy example: Restrict access to a specific Amazon Keyspaces table – This sample policy can be attached to a VPC endpoint. It restricts access to a specific table through the VPC endpoint that it's attached to.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictAccessToTable", "Principal": "*", "Action": "cassandra:*", "Effect": "Allow", "Resource": [ "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable", "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*" ] } ] }
    Note

    To restrict access to a specific table, you must also inlcude access to the system tables. System tables are read-only.

Availability

Amazon Keyspaces supports using interface VPC endpoints in all of the Regions where the service is available. For more information, see Service Endpoints for Amazon Keyspaces.