AWS keyspaces documentation change
Summary
Added documentation for multi-Region keyspace permissions requirements when working with UDTs, including new IAM actions (CreateMultiRegionResource, SelectMultiRegionResource, DropMultiRegionResource) and example policies
Security assessment
The changes clarify required IAM permissions for multi-Region operations but do not indicate a security vulnerability fix. This is a documentation expansion for feature usage rather than addressing a specific security issue.
Diff
diff --git a/keyspaces/latest/devguide/configure-udt-permissions.md b/keyspaces/latest/devguide/configure-udt-permissions.md index 1823c528b..b8c299c27 100644 --- a/keyspaces/latest/devguide/configure-udt-permissions.md +++ b/keyspaces/latest/devguide/configure-udt-permissions.md @@ -9 +9 @@ Create permissionsView permissionsDelete permissions -Like tables, UDTs are bound to a specific keyspace. But unlike tables, you can't define permissions directly for types. Types are not considered resources in AWS and they have no unique identifiers in the format of Amazon Resource Names (ARNs). Instead, to give an IAM principal permissions to perform specific actions on a type, you have to define permissions for the keyspace that the type is bound to. +Like tables, UDTs are bound to a specific keyspace. But unlike tables, you can't define permissions directly for UDTs. UDTs are not considered resources in AWS and they have no unique identifiers in the format of an Amazon Resource Name (ARN). Instead, to give an IAM principal permissions to perform specific actions on a UDT, you have to define permissions for the keyspace that the UDT is bound to. To work with UDTs in multi-Region keyspaces, additional permissions are required. @@ -11 +11 @@ Like tables, UDTs are bound to a specific keyspace. But unlike tables, you can't -To be able to create, view, or delete UDTs, the principal, for example the IAM user or role, needs permissions to perform the same action on the keyspace. +To be able to create, view, or delete UDTs, the principal, for example an IAM user or role, needs the same permissions that are required to perform the same action on the keyspace that the UDT is bound to. @@ -17 +17 @@ For more information about AWS Identity and Access Management, see [AWS Identity -To create a UDT, the principal needs `Create` permissions for the keyspace. +To create a UDT in a single-Region keyspace, the principal needs `Create` permissions for the keyspace. @@ -34,0 +35,18 @@ The following IAM policy is an example of this. +To create a UDT in a multi-Region keyspace, in addition to `Create` permissions the principal also needs permissions for the action `CreateMultiRegionResource` for the specified keyspace. + +The following IAM policy is an example of this. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ "cassandra:Create", "cassandra:CreateMultiRegionResource" ], + "Resource": [ + "arn:aws:cassandra:aws-region:111122223333:/keyspace/my_keyspace/" + ] + } + ] + } + @@ -37 +55 @@ The following IAM policy is an example of this. -To view or list UDTs, the principal needs read permissions for the system keyspace. For more information, see [system_schema_mcs](./working-with-keyspaces.html#keyspace_system_schema_mcs). +To view or list UDTs in a single-Region keyspace, the principal needs read permissions for the system keyspace. For more information, see [system_schema_mcs](./working-with-keyspaces.html#keyspace_system_schema_mcs). @@ -54,0 +73,18 @@ The following IAM policy is an example of this. +To view or list UDTs for a multi-Region keyspace, the principal needs permissions for the actions `SELECT` and `SelectMultiRegionResource` for the system keyspace. For more information, see [system_multiregion_info](./working-with-keyspaces.html#keyspace_system_multiregion_info). + +The following IAM policy is an example of this. + + + { + "Version":"2012-10-17", + "Statement":[ + { + "Effect":"Allow", + "Action": ["cassandra:Select", "cassandra:SelectMultiRegionResource"], + "Resource":[ + "arn:aws:cassandra:aws-region:111122223333:/keyspace/system*" + ] + } + ] + } + @@ -57 +93 @@ The following IAM policy is an example of this. -To delete a UDT, the principal needs `Drop` permissions for the keyspace. +To delete a UDT from a single-Region keyspace, the principal needs permissions for the `Drop` action for the specified keyspace. @@ -74,0 +111,18 @@ The following IAM policy is an example of this. +To delete a UDT from a multi-Region keyspace, the principal needs permissions for the `Drop` action and for the `DropMultiRegionResource` action for the specified keyspace. + +The following IAM policy is an example of this. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ "cassandra:Drop", "cassandra:DropMultiRegionResource" ], + "Resource": [ + "arn:aws:cassandra:aws-region:111122223333:/keyspace/my_keyspace/" + ] + } + ] + } +