# Infrastructure security in Amazon Keyspaces
As a managed service, Amazon Keyspaces (for Apache Cassandra) is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access Amazon Keyspaces through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
Amazon Keyspaces supports two methods of authenticating client requests. The first method uses service-specific credentials, which are password based credentials generated for a specific IAM user. You can create and manage the password using the IAM console, the AWS CLI, or the AWS API. For more information, see [Using IAM with Amazon Keyspaces](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mcs.html).
The second method uses an authentication plugin for the open-source DataStax Java Driver for Cassandra. This plugin enables [IAM users, roles, and federated identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) to add authentication information to Amazon Keyspaces (for Apache Cassandra) API requests using the [AWS Signature Version 4 process (SigV4)](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). For more information, see [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md).
You can call these API operations from any network location, but Amazon Keyspaces does support resource-based access policies, which can include restrictions based on the source IP address. You can also use Amazon Keyspaces policies to control access from specific Amazon Virtual Private Cloud (Amazon VPC) endpoints or specific VPCs. Effectively, this isolates network access to a given Amazon Keyspaces resource from only the specific VPC within the AWS network.
You can use an interface VPC endpoint to keep traffic between your Amazon VPC and Amazon Keyspaces from leaving the Amazon network. Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that enables private communication between AWS services using an elastic network interface with private IPs in your Amazon VPC. For more information, see [Using Amazon Keyspaces with interface VPC endpoints](vpc-endpoints.md).
# Using Amazon Keyspaces with interface VPC endpoints
Interface VPC endpoints enable private communication between your virtual private cloud (VPC) running in Amazon VPC and Amazon Keyspaces. Interface VPC endpoints are powered by AWS PrivateLink, which is an AWS service that enables private communication between VPCs and AWS services.
AWS PrivateLink enables this by using an elastic network interface with private IP addresses in your VPC so that network traffic does not leave the Amazon network. Interface VPC endpoints don't require an internet gateway, NAT device, VPN connection, or Direct Connect connection. For more information, see [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) and [Interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html).
**Topics**
+ [Using interface VPC endpoints for Amazon Keyspaces](#using-interface-vpc-endpoints)
+ [Populating `system.peers` table entries with interface VPC endpoint information](#system_peers)
+ [Controlling access to interface VPC endpoints for Amazon Keyspaces](#interface-vpc-endpoints-policies)
+ [Availability](#availability)
+ [VPC endpoint policies and Amazon Keyspaces point-in-time recovery (PITR)](#VPC_PITR_restore)
+ [Common errors and warnings](#vpc_troubleshooting)
## Using interface VPC endpoints for Amazon Keyspaces
You can create an interface VPC endpoint so that traffic between Amazon Keyspaces and your Amazon VPC resources starts flowing through the interface VPC endpoint. To get started, follow the steps to [create an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint). Next, edit the security group associated with the endpoint that you created in the previous step, and configure an inbound rule for port 9142. For more information, see [Adding, removing, and updating rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules).
For a step-by-step tutorial to configure a connection to Amazon Keyspaces through a VPC endpoint, see [Tutorial: Connect to Amazon Keyspaces using an interface VPC endpoint](vpc-endpoints-tutorial.md). To learn how to configure cross-account access for Amazon Keyspaces resources separated from applications in different AWS accounts in a VPC, see [Configure cross-account access to Amazon Keyspaces with VPC endpoints](access.cross-account.md).
## Populating `system.peers` table entries with interface VPC endpoint information
Apache Cassandra drivers use the `system.peers` table to query for node information about the cluster. Cassandra drivers use the node information to load balance connections and retry operations. Amazon Keyspaces populates nine entries in the `system.peers` table automatically for clients connecting through the public endpoint.
To provide clients connecting through interface VPC endpoints with similar functionality, Amazon Keyspaces populates the `system.peers` table in your account with an entry for each Availability Zone where a VPC endpoint is available. To look up and store available interface VPC endpoints in the `system.peers` table, Amazon Keyspaces requires that you grant the IAM entity used to connect to Amazon Keyspaces access permissions to query your VPC for the endpoint and network interface information.
**Important**
Populating the `system.peers` table with your available interface VPC endpoints improves load balancing and increases read/write throughput. It is recommended for all clients accessing Amazon Keyspaces using interface VPC endpoints and is required for Apache Spark.
To grant the IAM entity used to connect to Amazon Keyspaces permissions to look up the necessary interface VPC endpoint information, you can update your existing IAM role or user policy, or create a new IAM policy as shown in the following example.
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ListVPCEndpoints",
"Effect":"Allow",
"Action":[
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcEndpoints"
],
"Resource":"*"
}
]
}
```
**Note**
The managed policies `AmazonKeyspacesReadOnlyAccess_v2` and `AmazonKeyspacesFullAccess` include the required permissions to let Amazon Keyspaces access the Amazon EC2 instance to read information about available interface VPC endpoints.
To confirm that the policy has been set up correctly, query the `system.peers` table to see networking information. If the `system.peers` table is empty, it could indicate that the policy hasn't been configured successfully or that you have exceeded the request rate quota for `DescribeNetworkInterfaces` and `DescribeVPCEndpoints` API actions. `DescribeVPCEndpoints` falls into the `Describe*` category and is considered a *non-mutating action*. `DescribeNetworkInterfaces` falls into the subset of *unfiltered and unpaginated non-mutating actions*, and different quotas apply. For more information, see [Request token bucket sizes and refill rates](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/throttling.html#throttling-limits-rate-based) in the Amazon EC2 API Reference.
If you do see an empty table, try again a few minutes later to rule out request rate quota issues. To verify that you have configured the VPC endpoints correctly, see [My VPC endpoint connection doesn't work properly](troubleshooting.connecting.md#troubleshooting.connection.vpce). If your query returns results from the table, your policy has been configured correctly.
## Controlling access to interface VPC endpoints for Amazon Keyspaces
With VPC endpoint policies, you can control access to resources in two ways:
+ **IAM policy** – You can control the requests, users, or groups that are allowed to access Amazon Keyspaces through a specific VPC endpoint. You can do this by using a [condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the policy that is attached to an IAM user, group, or role.
+ **VPC policy** – You can control which VPC endpoints have access to your Amazon Keyspaces resources by attaching policies to them. To restrict access to a specific keyspace or table to only allow traffic coming through a specific VPC endpoint, edit the existing IAM policy that restricts resource access and add that VPC endpoint.
The following are example endpoint policies for accessing Amazon Keyspaces resources.
+ **IAM policy example: Restrict all access to a specific Amazon Keyspaces table unless traffic comes from the specified VPC endpoint** – This sample policy can be attached to an IAM user, role, or group. It restricts access to a specified Amazon Keyspaces table unless incoming traffic originates from a specified VPC endpoint.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UserOrRolePolicyToDenyAccess",
"Action": "cassandra:*",
"Effect": "Deny",
"Resource": [
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable",
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
],
"Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-abc123" } }
}
]
}
```
**Note**
To restrict access to a specific table, you must also include access to the system tables. System tables are read-only.
+ **VPC policy example: Read-only access** – This sample policy can be attached to a VPC endpoint. (For more information, see [Controlling access to Amazon VPC resources](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html#vpc-endpoint-policies)). It restricts actions to read-only access to Amazon Keyspaces resources through the VPC endpoint that it's attached to.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnly",
"Principal": "*",
"Action": [
"cassandra:Select"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
+ **VPC policy example: Restrict access to a specific Amazon Keyspaces table** – This sample policy can be attached to a VPC endpoint. It restricts access to a specific table through the VPC endpoint that it's attached to.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictAccessToTable",
"Principal": "*",
"Action": "cassandra:*",
"Effect": "Allow",
"Resource": [
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable",
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
]
}
]
}
```
**Note**
To restrict access to a specific table, you must also include access to the system tables. System tables are read-only.
## Availability
Amazon Keyspaces supports using interface VPC endpoints in all of the AWS Regions where the service is available. For more information, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
## VPC endpoint policies and Amazon Keyspaces point-in-time recovery (PITR)
If you are using IAM policies with [condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) to restrict incoming traffic, the table restore operation may fail. For example, if you restrict source traffic to specific VPC endpoints using `aws:SourceVpce` condition keys, the table restore operation fails. To allow Amazon Keyspaces to perform a restore operation on your principal's behalf, you must add an `aws:ViaAWSService` condition key to your IAM policy. The `aws:ViaAWSService` condition key allows access when any AWS service makes a request using the principal's credentials. For more information, see [IAM JSON policy elements: Condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. The following policy is an example of this.
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"CassandraAccessForVPCE",
"Effect":"Allow",
"Action":"cassandra:*",
"Resource":"*",
"Condition":{
"Bool":{
"aws:ViaAWSService":"false"
},
"StringEquals":{
"aws:SourceVpce":[
"vpce-12345678901234567"
]
}
}
},
{
"Sid":"CassandraAccessForAwsService",
"Effect":"Allow",
"Action":"cassandra:*",
"Resource":"*",
"Condition":{
"Bool":{
"aws:ViaAWSService":"true"
}
}
}
]
}
```
## Common errors and warnings
**If you're using Amazon Virtual Private Cloud and you connect to Amazon Keyspaces, you might see the following warning.**
```
Control node cassandra.us-east-1.amazonaws.com/1.111.111.111:9142 has an entry for itself in system.peers: this entry will be ignored. This is likely due to a misconfiguration;
please verify your rpc_address configuration in cassandra.yaml on all nodes in your cluster.
```
This warning occurs because the `system.peers` table contains entries for all of the Amazon VPC endpoints that Amazon Keyspaces has permissions to view, including the Amazon VPC endpoint that you're connected through. You can safely ignore this warning.
For other errors, see [My VPC endpoint connection doesn't work properly](troubleshooting.connecting.md#troubleshooting.connection.vpce).
# Using Amazon Keyspaces CDC streams with interface VPC endpoints
Interface VPC endpoints enable private communication between your virtual private cloud (VPC) running in Amazon VPC and Amazon Keyspaces. Interface VPC endpoints are powered by AWS PrivateLink, which is an AWS service that enables private communication between VPCs and AWS services.
AWS PrivateLink enables this by using an elastic network interface with private IP addresses in your VPC so that network traffic does not leave the Amazon network. Interface VPC endpoints don't require an internet gateway, NAT device, VPN connection, or Direct Connect connection. For more information, see [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) and [Interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html).
**Topics**
+ [Using interface VPC endpoints for Amazon Keyspaces CDC streams](#using-interface-vpc-endpoints-streams)
+ [Amazon Keyspaces CDC streams interface VPC endpoints](#interface-vpc-endpoints-streams-types)
+ [Create Amazon Keyspaces CDC streams interface VPC endpoint](#create-interface-vpc-endpoints-streams)
+ [Update an Amazon Keyspaces CDC streams interface VPC endpoint](#update-interface-vpc-endpoints-streams)
+ [List streams using an Amazon Keyspaces CDC streams interface VPC endpoint](#list-interface-vpc-endpoints-streams)
+ [Create a policy for an Amazon Keyspaces CDC streams interface VPC endpoint](#interface-vpc-endpoints-streams-policy)
## Using interface VPC endpoints for Amazon Keyspaces CDC streams
You can use an interface VPC endpoint so that traffic between Amazon Keyspaces CDC streams and your Amazon VPC resources starts flowing through the interface VPC endpoint. You can use VPC endpoint policies to restrict access to your CDC streams.
For more information about Amazon Keyspaces CDC streams, see [Working with change data capture (CDC) streams in Amazon Keyspaces](cdc.md).
## Amazon Keyspaces CDC streams interface VPC endpoints
When you create an interface endpoint, Amazon Keyspaces CDC streams generates two types of endpoint-specific DNS name for the stream: *Regional* and *Zonal*.
**Regional**
The Regional DNS name includes the following information:
+ a unique Amazon VPC endpoint ID
+ a service identifier
+ the AWS Region
+ the `vpce.amazonaws.com` suffix
For an Amazon VPC endpoint with the ID `vpce-1a2b3c4d`, the generated DNS name might be look similar to the following example: `vpce-1a2b3c4d-5e6f.cassandra-streams.us-east-1.vpce.amazonaws.com`.
**Zonal**
The Zonal DNS name includes the [Availability Zone](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) in addition to the information in the Regional DNS name. The generated DNS name for the Amazon VPC endpoint with the ID `vpce-1a2b3c4d` would look like in the following example, note that the AWS Region now includes the Availability Zone: `vpce-1a2b3c4d-5e6f-us-east-1a.cassandra-streams.us-east-1.vpce.amazonaws.com`
You can use this option if your architecture isolates Availability Zones. For example, you could use it for fault containment or to reduce Regional data transfer costs.
To achieve optimal reliability, we recommend deploying your service across a minimum of three Availability Zones.
## Create Amazon Keyspaces CDC streams interface VPC endpoint
You can use the AWS CLI or the AWS SDK to access Amazon Keyspaces CDC Streams API operations through Amazon Keyspaces CDC Streams interface endpoints. For a complete listing of all available API operations, see [https://docs.aws.amazon.com/keyspaces/latest/StreamsAPIReference/Welcome.html](https://docs.aws.amazon.com/keyspaces/latest/StreamsAPIReference/Welcome.html).
For more information about how to create VPC endpoints, see [create an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) in the Amazon VPC User Guide.
To create a VPC endpoint, you can use the syntax in the following example.
```
aws ec2 create-vpc-endpoint \
--region us-east-1 \
--service-name api.aws.us-east-1.cassandra-streams \
--vpc-id client-vpc-id \
--subnet-ids client-subnet-id \
--vpc-endpoint-type Interface \
--security-group-ids client-sg-id
```
## Update an Amazon Keyspaces CDC streams interface VPC endpoint
To update a VPC endpoint, you can use the syntax in the following example.
```
aws ec2 modify-vpc-endpoint \
--region us-east-1 \
--vpc-endpoint-id client-vpc-id \
--policy-document policy-document \ #example optional parameter
--add-security-group-ids security-group-ids \ #example optional parameter
```
## List streams using an Amazon Keyspaces CDC streams interface VPC endpoint
To list the streams that are using a VPC endpoint, you can use the syntax in the following example. Make sure to replace the Region and the DNS name of the VPC endpoint ID with your own information.
```
aws keyspacesstreams \
--endpoint https://vpce-1a2b3c4d-5e6f.cassandra-streams.us-east-1.vpce.amazonaws.com \
--region us-east-1 \
list-streams
```
## Create a policy for an Amazon Keyspaces CDC streams interface VPC endpoint
You can attach an endpoint policy to your Amazon VPC endpoint that controls access to Amazon Keyspaces CDC streams. The policy specifies the following information:
+ The AWS Identity and Access Management (IAM) principal that can perform actions
+ The actions that can be performed
+ The resources on which actions can be performed
To restrict access to specific Amazon Keyspaces CDC streams to only allow specific AWS services in your Amazon VPC access, you can use the following example.
The following stream policy grants access to any IAM principal for the actions `cassandra:GetStream` and `cassandra:GetRecords` for the specified stream `2025-02-20T11:22:33.444` attached to the resource `/keyspace/mykeyspace/table/mytable/` belonging to account `123456788901`. To use this endpoint policy, make sure to replace the Region, account ID, and resource with stream label.
```
{
"Version": "2012-10-17",
"Id": "Policy1216114807515",
"Statement": [
{ "Sid": "Access-to-specific-stream-only",
"Principal": "*",
"Action": [
"cassandra:GetStream",
"cassandra:GetRecords"
],
"Effect": "Allow",
"Resource": ["arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable/stream/2025-02-20T11:22:33.444"]
}
]
}
```
**Note**
Amazon Keyspaces doesn't support Gateway endpoints for CDC streams.