Step 4: Configure permissions for the VPC endpoint connection
The procedures in this step demonstrate how to configure rules and permissions for using the VPC endpoint with Amazon Keyspaces.
To configure an inbound rule for the new endpoint to allow TCP inbound traffic
-
In the Amazon VPC console, on the left-side panel, choose Endpoints and choose the endpoint you created in the earlier step.
-
Choose Security groups and then choose the security group associated with this endpoint.
-
Choose Inbound rules and then choose Edit inbound rules.
-
Add an inbound rule with Type as CQLSH / CASSANDRA. This sets the Port range, automatically to 9142.
-
To save the new inbound rule, choose Save rules.
To configure IAM user permissions
-
Confirm that the IAM user used to connect to Amazon Keyspaces has the appropriate permissions. In Amazon Identity and Access Management (IAM), you can use the Amazon managed policy
AmazonKeyspacesReadOnlyAccess
to grant the IAM user read access to Amazon Keyspaces.Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
On the IAM console dashboard, choose Users, and then choose your IAM user from the list.
-
On the Summary page, choose Add permissions.
-
Choose Attach existing policies directly.
-
From the list of policies, choose AmazonKeyspacesReadOnlyAccess, and then choose Next: Review.
-
Choose Add permissions.
-
Verify that you can access Amazon Keyspaces through the VPC endpoint.
aws keyspaces list-tables --keyspace-name '
my_Keyspace
'If you want, you can try some other Amazon CLI commands for Amazon Keyspaces. For more information, see the Amazon CLI Command Reference.
Note
The minimum permissions required for an IAM user or role to access Amazon Keyspaces are read permissions to the system table, as shown in the following policy. For more information about policy-based permissions, see Amazon Keyspaces identity-based policy examples.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "cassandra:Select" ], "Resource":[ "arn:aws:cassandra:us-east-1:555555555555:/keyspace/system*" ] } ] }
-
Grant the IAM user read access to the Amazon EC2 instance with the VPC.
When you use Amazon Keyspaces with VPC endpoints, you need to grant the IAM user or role that accesses Amazon Keyspaces read-only permissions to your Amazon EC2 instance and the VPC to gather endpoint and network interface data. Amazon Keyspaces stores this information in the
system.peers
table and uses it to manage connections.Note
The managed policies
AmazonKeyspacesReadOnlyAccess_v2
andAmazonKeyspacesFullAccess
include the required permissions to let Amazon Keyspaces access the Amazon EC2 instance to read information about available interface VPC endpoints.Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
On the IAM console dashboard, choose Policies.
-
Choose Create policy, and then choose the JSON tab.
-
Copy the following policy and choose Next: Tags.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"ListVPCEndpoints", "Effect":"Allow", "Action":[ "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcEndpoints" ], "Resource": "*" } ] }
-
Choose Next: Review, enter the name
keyspacesVPCendpoint
for the policy, and choose Create policy. -
On the IAM console dashboard, choose Users, and then choose your IAM user from the list.
-
On the Summary page, choose Add permissions.
-
Choose Attach existing policies directly.
-
From the list of policies, choose keyspacesVPCendpoint, and then choose Next: Review.
-
Choose Add permissions.
-
To verify that the Amazon Keyspaces
system.peers
table is getting updated with VPC information, run the following query from your Amazon EC2 instance usingcqlsh
. If you haven't already installedcqlsh
on your Amazon EC2 instance in step 2, follow the instructions in Using the cqlsh-expansion to connect to Amazon Keyspaces.SELECT peer FROM system.peers;
The output returns nodes with private IP addresses, depending on your VPC and subnet setup in your Amazon Region.
peer --------------- 112.11.22.123 112.11.22.124 112.11.22.125
Note
You have to use a
cqlsh
connection to Amazon Keyspaces to confirm that your VPC endpoint has been configured correctly. If you use your local environment or the Amazon Keyspaces CQL editor in the Amazon Web Services Management Console, the connection automatically goes through the public endpoint instead of your VPC endpoint. If you see nine IP addresses, these are the entries Amazon Keyspaces automatically writes to thesystem.peers
table for public endpoint connections.