Reputation: 1001
Securing Cassandra Database on AWS
I recently created a Cassandra Cluster on AWS. I also wrote a client program to access it. Everything works. However, I am concerned about security. In my client program, I only had to know the IP address of the cluster, and then I could connect to it and run queries on it. Isn't this bad for security? How do people normally do this securely?
Thanks
Upvotes: 0
Views: 204
Answers (3)
Reputation: 669
It is better to have two security groups, one for Cassandra and one for application. The Cassandra nodes are assigned only the internal IP, no public IP, and limits the access to Cassandra port from the application security group only. This ensures only the application could access Cassandra.
You should also enable Cassandra Authentication and Authorization, follows the official security guide.
Upvotes: 0
Reputation: 57798
By default, Cassandra installs with all security features disabled. There are four main features that you can enable:
- Internal Authentication: This enables username/password access to your cluster. You can follow the link, and set
authenticator: PasswordAuthenticatorin your cassandra.yaml to enable. - Internal Authorization: This enables permission security within Cassandra. Again, check out the info in the link, and set
authorizer: CassandraAuthorizerin your cassandra.yaml to enable. - Client-to-Node encryption: This protects your data in-flight between your client app and your cluster.
- Node-to-Node encryption: This protects your data between the different nodes in your cluster.
At the very least, I recommend enabling internal authentication and authorization. SSL encryption is slightly more-complicated (although still a good idea to do), but may be required based on your corporate policies and sensitivity of your data. This is of course in-addition to applying the appropriate AWS security groups to your cluster.
Upvotes: 0
Reputation: 13638
You should have a security group already defined for your cluster, even if they are default. Check Security Groups for Your VPC
At a minimum, your should limit public access to the ports required by the service.
I would honestly tie it down to your IP number only, until you get a better grasp on the overall security requirements of your implementation.
Upvotes: 1
Related Questions
- Difference between partition key, composite key and clustering key in Cassandra?
- Datastax Cassandra - Cqlsh with SSL not working
- How should I ethically approach user password storage for later plaintext retrieval?
- Cassandra - Which IP address do you use to connect to a cluster when using a driver?
- Slow Execution Time for Cassandra with DataStax C# Driver