Step 4: Configure permissions for the VPC endpoint connection - Amazon Keyspaces (for Apache Cassandra)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 4: Configure permissions for the VPC endpoint connection

The procedures in this step demonstrate how to configure rules and permissions for using the VPC endpoint with Amazon Keyspaces.

To configure an inbound rule for the new endpoint to allow TCP inbound traffic
  1. In the Amazon VPC console, on the left-side panel, choose Endpoints and choose the endpoint you created in the earlier step.

  2. Choose Security groups and then choose the security group associated with this endpoint.

  3. Choose Inbound rules and then choose Edit inbound rules.

  4. Add an inbound rule with Type as CQLSH / CASSANDRA. This sets the Port range, automatically to 9142.

  5. To save the new inbound rule, choose Save rules.

To configure IAM user permissions
  1. Confirm that the IAM user used to connect to Amazon Keyspaces has the appropriate permissions. In Amazon Identity and Access Management (IAM), you can use the Amazon managed policy AmazonKeyspacesReadOnlyAccess to grant the IAM user read access to Amazon Keyspaces.

    1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

    2. On the IAM console dashboard, choose Users, and then choose your IAM user from the list.

    3. On the Summary page, choose Add permissions.

    4. Choose Attach existing policies directly.

    5. From the list of policies, choose AmazonKeyspacesReadOnlyAccess, and then choose Next: Review.

    6. Choose Add permissions.

  2. Verify that you can access Amazon Keyspaces through the VPC endpoint.

    aws keyspaces list-tables --keyspace-name 'my_Keyspace'

    If you want, you can try some other Amazon CLI commands for Amazon Keyspaces. For more information, see the Amazon CLI Command Reference.

    Note

    The minimum permissions required for an IAM user or role to access Amazon Keyspaces are read permissions to the system table, as shown in the following policy. For more information about policy-based permissions, see Amazon Keyspaces identity-based policy examples.

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "cassandra:Select" ], "Resource":[ "arn:aws:cassandra:us-east-1:555555555555:/keyspace/system*" ] } ] }
  3. Grant the IAM user read access to the Amazon EC2 instance with the VPC.

    When you use Amazon Keyspaces with VPC endpoints, you need to grant the IAM user or role that accesses Amazon Keyspaces read-only permissions to your Amazon EC2 instance and the VPC to gather endpoint and network interface data. Amazon Keyspaces stores this information in the system.peers table and uses it to manage connections.

    Note

    The managed policies AmazonKeyspacesReadOnlyAccess_v2 and AmazonKeyspacesFullAccess include the required permissions to let Amazon Keyspaces access the Amazon EC2 instance to read information about available interface VPC endpoints.

    1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

    2. On the IAM console dashboard, choose Policies.

    3. Choose Create policy, and then choose the JSON tab.

    4. Copy the following policy and choose Next: Tags.

      { "Version":"2012-10-17", "Statement":[ { "Sid":"ListVPCEndpoints", "Effect":"Allow", "Action":[ "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcEndpoints" ], "Resource": "*" } ] }
    5. Choose Next: Review, enter the name keyspacesVPCendpoint for the policy, and choose Create policy.

    6. On the IAM console dashboard, choose Users, and then choose your IAM user from the list.

    7. On the Summary page, choose Add permissions.

    8. Choose Attach existing policies directly.

    9. From the list of policies, choose keyspacesVPCendpoint, and then choose Next: Review.

    10. Choose Add permissions.

  4. To verify that the Amazon Keyspaces system.peers table is getting updated with VPC information, run the following query from your Amazon EC2 instance using cqlsh. If you haven't already installed cqlshon your Amazon EC2 instance in step 2, follow the instructions in Using the cqlsh-expansion to connect to Amazon Keyspaces.

    SELECT peer FROM system.peers;

    The output returns nodes with private IP addresses, depending on your VPC and subnet setup in your Amazon Region.

    peer --------------- 112.11.22.123 112.11.22.124 112.11.22.125
    Note

    You have to use a cqlshconnection to Amazon Keyspaces to confirm that your VPC endpoint has been configured correctly. If you use your local environment or the Amazon Keyspaces CQL editor in the Amazon Web Services Management Console, the connection automatically goes through the public endpoint instead of your VPC endpoint. If you see nine IP addresses, these are the entries Amazon Keyspaces automatically writes to the system.peers table for public endpoint connections.