AWS Security ChangesHomeSearch

AWS keyspaces documentation change

Service: keyspaces · 2025-07-16 · Documentation medium

File: keyspaces/latest/devguide/security_iam_id-based-policy-examples.md

Summary

Updated IAM policy examples with region placeholders, added explicit requirements for system table access, and introduced a new policy example with explicit Deny rules for user tables

Security assessment

The changes emphasize the necessity of granting SELECT permissions on system tables for proper access (critical for driver functionality) and demonstrate security best practices by adding an explicit Deny policy example. While this improves security documentation, there is no evidence of addressing a specific disclosed vulnerability.

Diff

diff --git a/keyspaces/latest/devguide/security_iam_id-based-policy-examples.md b/keyspaces/latest/devguide/security_iam_id-based-policy-examples.md
index 76056219c..34ab0d399 100644
--- a//keyspaces/latest/devguide/security_iam_id-based-policy-examples.md
+++ b//keyspaces/latest/devguide/security_iam_id-based-policy-examples.md
@@ -102,2 +101,0 @@ This example shows how you might create a policy that allows IAM users to view t
-The following is a sample policy that grants read-only (`SELECT`) access to the Amazon Keyspaces system tables. For all samples, replace the Region and account ID in the Amazon Resource Name (ARN) with your own.
-
@@ -106 +104,19 @@ The following is a sample policy that grants read-only (`SELECT`) access to the
-To connect with a standard driver, a user must have at least `SELECT` access to the system tables, because most drivers read the system keyspaces/tables on connection. 
+To access user keyspaces and tables in Amazon Keyspaces, your IAM policy must include `cassandra:Select` permissions on system tables:
+    
+    
+    arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/system*
+
+This applies to the following scenarios:
+
+  * AWS Management Console access
+
+  * SDK resource operations, for example `GetKeyspace`, `GetTable`, `ListKeyspaces`, and `ListTables`
+
+  * Standard Apache Cassandra client driver connections, because drivers automatically read system tables during connection initialization
+
+
+
+
+System tables are read-only and cannot be modified.
+
+The following is a sample policy that grants read-only (`SELECT`) access to the Amazon Keyspaces system tables. For all samples, replace the Region and account ID in the Amazon Resource Name (ARN) with your own.
@@ -118 +134 @@ To connect with a standard driver, a user must have at least `SELECT` access to
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/system*"
@@ -136,2 +152,2 @@ The following sample policy adds read-only access to the user table `mytable` in
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable",
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/mykeyspace/table/mytable",
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/system*"
@@ -145,4 +160,0 @@ The following sample policy assigns read/write access to a user table and read a
-###### Note
-
-System tables are always read-only.
-    
@@ -160,2 +172,2 @@ System tables are always read-only.
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable",
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/mykeyspace/table/mytable",
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/system*"
@@ -180,2 +192,30 @@ The following sample policy allows a user to create tables in keyspace `mykeyspa
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/*",
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/mykeyspace/*",
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/system*"
+             ]
+          }
+       ]
+    }
+
+The following sample policy assigns read access to the system tables, but restricts `SELECT` (read) and `MODIFY` (write) access to the user table `mytable`. 
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+       {
+         "Effect": "Allow",
+         "Action": [
+          "cassandra:Select"
+         ],
+         "Resource": [
+          "arn:aws:cassandra:aws-region:111122223333:/keyspace/system*"
+         ]
+       },
+       {
+         "Effect": "Deny",
+         "Action": [
+          "cassandra:Select",
+          "cassandra:Modify"
+         ],
+         "Resource": [
+          "arn:aws:cassandra:aws-region:111122223333:/keyspace/mykeyspace/table/mytable"
@@ -209,2 +249,2 @@ The following example shows how you can create a policy that grants permissions
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/*",
-                "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/mykeyspace/table/*",
+                "arn:aws:cassandra:aws-region:111122223333:/keyspace/system*"
@@ -236 +276 @@ The following policy grants permissions to a user to create tables with tags if
-              "Resource": "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/*", 
+              "Resource": "arn:aws:cassandra:aws-region:111122223333:/keyspace/mykeyspace/table/*",