AWS keyspaces documentation change
Summary
Added documentation about mandatory system table permissions, updated resource ARN formats with placeholders, and introduced stream resource definitions
Security assessment
The changes clarify critical security requirements for accessing Amazon Keyspaces (including console/SDK/driver access dependencies on system tables) and expand resource type coverage. This strengthens security documentation but does not indicate remediation of a specific vulnerability.
Diff
diff --git a/keyspaces/latest/devguide/security_iam_service-with-iam.md b/keyspaces/latest/devguide/security_iam_service-with-iam.md index 7fc857547..231e4658a 100644 --- a//keyspaces/latest/devguide/security_iam_service-with-iam.md +++ b//keyspaces/latest/devguide/security_iam_service-with-iam.md @@ -61 +61,21 @@ For actions that don't support resource-level permissions, such as listing opera -In Amazon Keyspaces keyspaces and tables can be used in the `Resource` element of IAM permissions. +In Amazon Keyspaces, keyspaces, tables, and streams can be used in the `Resource` element of IAM permissions. + +###### Note + +To access user keyspaces and tables in Amazon Keyspaces, your IAM policy must include `cassandra:Select` permissions on system tables: + + + arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/system* + +This applies to the following scenarios: + + * AWS Management Console access + + * SDK resource operations, for example `GetKeyspace`, `GetTable`, `ListKeyspaces`, and `ListTables` + + * Standard Apache Cassandra client driver connections, because drivers automatically read system tables during connection initialization + + + + +System tables are read-only and cannot be modified. @@ -66 +86 @@ The Amazon Keyspaces keyspace resource has the following ARN: - arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/ + arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${keyspaceName}/ @@ -71 +91,6 @@ The Amazon Keyspaces table resource has the following ARN: - arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/table/${tableName} + arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${keyspaceName}/table/${tableName} + +The Amazon Keyspaces stream resource has the following ARN: + + + arn:${Partition}:cassandra:{Region}:${Account}:/keyspace/${keyspaceName}/table/${tableName}/stream/${streamLabel} @@ -78 +103 @@ For example, to specify the `mykeyspace` keyspace in your statement, use the fol - "Resource": "arn:aws:cassandra:us-east-1:123456789012:/keyspace/mykeyspace/" + "Resource": "arn:aws:cassandra:aws-region:111122223333:/keyspace/mykeyspace/" @@ -83 +108 @@ To specify all keyspaces that belong to a specific account, use the wildcard (*) - "Resource": "arn:aws:cassandra:us-east-1:123456789012:/keyspace/*" + "Resource": "arn:aws:cassandra:aws-region:111122223333:/keyspace/*" @@ -90 +115 @@ Some Amazon Keyspaces actions, such as those for creating resources, cannot be p -To connect to Amazon Keyspaces programmatically with a standard driver, a principal must have SELECT access to the system tables, because most drivers read the system keyspaces/tables on connection. For example, to grant `SELECT` permissions to an IAM user for `mytable` in `mykeyspace`, the principal must have permissions to read both, `mytable` and the `system keyspace`. To specify multiple resources in a single statement, separate the ARNs with commas. +For example, to grant `SELECT` permissions to an IAM principal for `mytable` in `mykeyspace`, the principal must have permissions to read both, `mytable` and `keyspace/system*`. To specify multiple resources in a single statement, separate the ARNs with commas. @@ -93,2 +118,2 @@ To connect to Amazon Keyspaces programmatically with a standard driver, a princi - "Resource": "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable", - "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*" + "Resource": "arn:aws:cassandra:aws-region:111122223333:/keyspace/mykeyspace/table/mytable", + "arn:aws:cassandra:aws-region:111122223333:/keyspace/system*"