Amazon managed policies for Amazon Keyspaces - Amazon Keyspaces (for Apache Cassandra)
AmazonKeyspacesReadOnlyAccess_v2AmazonKeyspacesReadOnlyAccessAmazonKeyspacesFullAccessPolicy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon Keyspaces

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: AmazonKeyspacesReadOnlyAccess_v2

You can attach the AmazonKeyspacesReadOnlyAccess_v2 policy to your IAM identities.

This policy grants read-only access to Amazon Keyspaces and includes the required permissions when connecting through private VPC endpoints.

Permissions details

This policy includes the following permissions.

  • Amazon Keyspaces – Provides read-only access to Amazon Keyspaces.

  • Application Auto Scaling – Allows principals to view configurations from Application Auto Scaling. This is required so that users can view automatic scaling policies that are attached to a table.

  • CloudWatch – Allows principals to view metric data and alarms configured in CloudWatch. This is required so users can view the billable table size and CloudWatch alarms that have been configured for a table.

  • Amazon KMS – Allows principals to view keys configured in Amazon KMS. This is required so users can view Amazon KMS keys that they create and manage in their account to confirm that the key assigned to Amazon Keyspaces is a symmetric encryption key that is enabled.

  • Amazon EC2 – Allows principals connecting to Amazon Keyspaces through VPC endpoints to query the VPC on your Amazon EC2 instance for endpoint and network interface information. This read-only access to the Amazon EC2 instance is required so Amazon Keyspaces can look up and store available interface VPC endpoints in the system.peers table used for connection load balancing.

To review the policy in JSON format, see AmazonKeyspacesReadOnlyAccess_v2.

Amazon managed policy: AmazonKeyspacesReadOnlyAccess

You can attach the AmazonKeyspacesReadOnlyAccess policy to your IAM identities.

This policy grants read-only access to Amazon Keyspaces.

Permissions details

This policy includes the following permissions.

  • Amazon Keyspaces – Provides read-only access to Amazon Keyspaces.

  • Application Auto Scaling – Allows principals to view configurations from Application Auto Scaling. This is required so that users can view automatic scaling policies that are attached to a table.

  • CloudWatch – Allows principals to view metric data and alarms configured in CloudWatch. This is required so users can view the billable table size and CloudWatch alarms that have been configured for a table.

  • Amazon KMS – Allows principals to view keys configured in Amazon KMS. This is required so users can view Amazon KMS keys that they create and manage in their account to confirm that the key assigned to Amazon Keyspaces is a symmetric encryption key that is enabled.

To review the policy in JSON format, see AmazonKeyspacesReadOnlyAccess.

Amazon managed policy: AmazonKeyspacesFullAccess

You can attach the AmazonKeyspacesFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow your administrators unrestricted access to Amazon Keyspaces.

Permissions details

This policy includes the following permissions.

  • Amazon Keyspaces – Allows principals to access any Amazon Keyspaces resource and perform all actions.

  • Application Auto Scaling – Allows principals to create, view, and delete automatic scaling policies for Amazon Keyspaces tables. This is required so that administrators can manage automatic scaling policies for Amazon Keyspaces tables.

  • CloudWatch – Allows principals to see the billable table size as well as create, view, and delete CloudWatch alarms for Amazon Keyspaces automatic scaling policies. This is required so that administrators can view the billable table size and create a CloudWatch dashboard.

  • IAM – Allows Amazon Keyspaces to create service-linked roles with IAM automatically when the following features are turned on:

    • Application Auto Scaling – When an administrator enables Application Auto Scaling for a table, Amazon Keyspaces creates a service-linked role to perform automatic scaling actions on your behalf.

    • Amazon Keyspaces Multi-Region Replication – When an administrator creates a multi-Region keyspace, a service-linked role is automatically created to perform data replication to the selected Amazon Web Services Regions on your behalf.

    For more information about service-linked roles, see Using service-linked roles for Amazon Keyspaces.

  • Amazon KMS – Allows principals to view keys configured in Amazon KMS. This is required so that users can view Amazon KMS keys that they create and manage in their account to confirm that the key assigned to Amazon Keyspaces is a symmetric encryption key that is enabled.

  • Amazon EC2 – Allows principals connecting to Amazon Keyspaces through VPC endpoints to query the VPC on your Amazon EC2 instance for endpoint and network interface information. This read-only access to the Amazon EC2 instance is required so Amazon Keyspaces can look up and store available interface VPC endpoints in the system.peers table used for connection load balancing.

To review the policy in JSON format, see AmazonKeyspacesFullAccess.

Amazon Keyspaces updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon Keyspaces since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history for Amazon Keyspaces (for Apache Cassandra) page.

Change Description Date

AmazonKeyspacesFullAccess – Update to an existing policy

Amazon Keyspaces added new read-only permissions for clients connecting to Amazon Keyspaces through interface VPC endpoints to access the Amazon EC2 instance to lookup network information.

Amazon Keyspaces stores available interface VPC endpoints in the system.peers table for connection load balancing. For more information, see Using Amazon Keyspaces with interface VPC endpoints.

 October 3, 2023

AmazonKeyspacesReadOnlyAccess_v2 – New policy

Amazon Keyspaces created a new policy to add read-only permissions for clients connecting to Amazon Keyspaces through interface VPC endpoints to access the Amazon EC2 instance to lookup network information.

Amazon Keyspaces stores available interface VPC endpoints in the system.peers table for connection load balancing. For more information, see Using Amazon Keyspaces with interface VPC endpoints.

 September 12, 2023

AmazonKeyspacesFullAccess – Update to an existing policy

Amazon Keyspaces added new permissions to allow Amazon Keyspaces to create a service-linked role when an administrator creates a multi-Region keyspace.

Amazon Keyspaces uses the service-linked role to perform data replication tasks on your behalf. For more information, see Using roles for Amazon Keyspaces Multi-Region Replication.

 June 5, 2023

AmazonKeyspacesReadOnlyAccess – Update to an existing policy

Amazon Keyspaces added new permissions to allow users to view the billable size of a table using CloudWatch.

Amazon Keyspaces integrates with Amazon CloudWatch to allow you to monitor the billable table size. For more information, see Amazon Keyspaces metrics and dimensions.

 July 7, 2022

AmazonKeyspacesFullAccess – Update to an existing policy

Amazon Keyspaces added new permissions to allow users to view the billable size of a table using CloudWatch.

Amazon Keyspaces integrates with Amazon CloudWatch to allow you to monitor the billable table size. For more information, see Amazon Keyspaces metrics and dimensions.

 July 7, 2022

AmazonKeyspacesReadOnlyAccess – Update to an existing policy

Amazon Keyspaces added new permissions to allow users to view Amazon KMS keys that have been configured for Amazon Keyspaces encryption at rest.

Amazon Keyspaces encryption at rest integrates with Amazon KMS for protecting and managing the encryption keys used to encrypt data at rest. To view the Amazon KMS key configured for Amazon Keyspaces, read-only permissions have been added.

 June 1, 2021

AmazonKeyspacesFullAccess – Update to an existing policy

Amazon Keyspaces added new permissions to allow users to view Amazon KMS keys that have been configured for Amazon Keyspaces encryption at rest.

Amazon Keyspaces encryption at rest integrates with Amazon KMS for protecting and managing the encryption keys used to encrypt data at rest. To view the Amazon KMS key configured for Amazon Keyspaces, read-only permissions have been added.

 June 1, 2021

Amazon Keyspaces started tracking changes

Amazon Keyspaces started tracking changes for its Amazon managed policies.

 June 1, 2021