Amazon Keyspaces Preventative Security Best Practices - Amazon Keyspaces(针对 Apache Cassandra)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门


Amazon Keyspaces Preventative Security Best Practices

The following best practices can help you anticipate and prevent security incidents in Amazon Keyspaces.


Amazon Keyspaces encrypts at rest all user data stored in tables using encryption keys stored in AWS Key Management Service (AWS KMS). 这通过保护您的数据免受未经授权的访问,为基础存储提供额外一层数据保护。

Amazon Keyspaces uses a single service default key (AWS owned CMK) for encrypting all of your tables. If this key doesn’t exist, it is created for you. Service default keys can't be disabled. For more information, see Amazon Keyspaces Encryption at Rest.

Use IAM roles to authenticate access to Amazon Keyspaces

For users, applications, and other AWS services to access Amazon Keyspaces, they must include valid AWS credentials in their AWS API requests. You should not store AWS credentials directly in the application or EC2 instance. These are long-term credentials that are not automatically rotated, and therefore could have significant business impact if they are compromised. 利用 IAM 角色,您可以获得可用于访问 AWS 服务和资源的临时访问密钥。

有关更多信息,请参阅 IAM 角色.

Use IAM policies for Amazon Keyspaces base authorization

When granting permissions, you decide who is getting them, which Amazon Keyspaces APIs they are getting permissions for, and the specific actions you want to allow on those resources. Implementing least privilege is key in reducing security risk and the impact that can result from errors or malicious intent.

Attach permissions policies to IAM identities (that is, users, groups, and roles) and thereby grant permissions to perform operations on Amazon Keyspaces resources.

You can do this by using the following:

Use IAM policy conditions for fine-grained access control

When you grant permissions in Amazon Keyspaces, you can specify conditions that determine how a permissions policy takes effect. Implementing least privilege is key in reducing security risk and the impact that can result from errors or malicious intent.

You can specify conditions when granting permissions using an IAM policy. 例如,您可以执行以下操作:

  • Grant permissions to allow users read-only access to specific keyspaces or tables.

  • Grant permissions to allow a user write access to a certain table, based upon the identity of that user.

For more information, see Identity-Based Policy Examples.

Consider client-side encryption

If you store sensitive or confidential data in Amazon Keyspaces, you might want to encrypt that data as close as possible to its origin so that your data is protected throughout its lifecycle. Encrypting your sensitive data in transit and at rest helps ensure that your plaintext data isn’t available to any third party.