Configure restore table IAM permissions for Amazon Keyspaces PITR - Amazon Keyspaces (for Apache Cassandra)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure restore table IAM permissions for Amazon Keyspaces PITR

This section summarizes how to configure permissions for an Amazon Identity and Access Management (IAM) principal to restore Amazon Keyspaces tables. In IAM, the Amazon managed policy AmazonKeyspacesFullAccess includes the permissions to restore Amazon Keyspaces tables. To implement a custom policy with minimum required permissions, consider the requirements outlined in the next section.

To successfully restore a table, the IAM principal needs the following minimum permissions:

  • cassandra:Restore – The restore action is required for the target table to be restored.

  • cassandra:Select – The select action is required to read from the source table.

  • cassandra:TagResource – The tag action is optional, and only required if the restore operation adds tags.

This is an example of a policy that grants minimum required permissions to a user to restore tables in keyspace mykeyspace.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "cassandra:Restore", "cassandra:Select" ], "Resource":[ "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/*", "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*" ] } ] }

Additional permissions to restore a table might be required based on other selected features. For example, if the source table is encrypted at rest with a customer managed key, Amazon Keyspaces must have permissions to access the customer managed key of the source table to successfully restore the table. For more information, see PITR restore of encrypted tables.

If you are using IAM policies with condition keys to restrict incoming traffic to specific sources, you must ensure that Amazon Keyspaces has permission to perform a restore operation on your principal's behalf. You must add an aws:ViaAWSService condition key to your IAM policy if your policy restricts incoming traffic to any of the following:

  • VPC endpoints with aws:SourceVpce

  • IP ranges with aws:SourceIp

  • VPCs with aws:SourceVpc

The aws:ViaAWSService condition key allows access when any Amazon service makes a request using the principal's credentials. For more information, see IAM JSON policy elements: Condition key in the IAM User Guide.

The following is an example of a policy that restricts source traffic to a specific IP address and allows Amazon Keyspaces to restore a table on the principal's behalf.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"CassandraAccessForCustomIp", "Effect":"Allow", "Action":"cassandra:*", "Resource":"*", "Condition":{ "Bool":{ "aws:ViaAWSService":"false" }, "ForAnyValue:IpAddress":{ "aws:SourceIp":[ "123.45.167.89" ] } } }, { "Sid":"CassandraAccessForAwsService", "Effect":"Allow", "Action":"cassandra:*", "Resource":"*", "Condition":{ "Bool":{ "aws:ViaAWSService":"true" } } } ] }

For an example policy using the aws:ViaAWSService global condition key, see VPC endpoint policies and Amazon Keyspaces point-in-time recovery (PITR).