stackoom
  简体   繁体   中英

Securing Cassandra Database on AWS

 原文  2016-06-08 16:46:04       security/ amazon-web-services/ cassandra/ datastax/ cassandra-2.0

Question

I recently created a Cassandra Cluster on AWS. I also wrote a client program to access it. Everything works. However, I am concerned about security. In my client program, I only had to know the IP address of the cluster, and then I could connect to it and run queries on it. Isn't this bad for security? How do people normally do this securely?

Thanks

3 answers

solution1
 1  2016-06-08 17:10:40

You should have a security group already defined for your cluster, even if they are default. Check Security Groups for Your VPC

At a minimum, your should limit public access to the ports required by the service.

I would honestly tie it down to your IP number only , until you get a better grasp on the overall security requirements of your implementation.

solution2
 0 ACCPTED  2016-06-08 17:10:08

By default, Cassandra installs with all security features disabled. There are four main features that you can enable:

  • Internal Authentication : This enables username/password access to your cluster. You can follow the link, and set authenticator: PasswordAuthenticator in your cassandra.yaml to enable.
  • Internal Authorization : This enables permission security within Cassandra. Again, check out the info in the link, and set authorizer: CassandraAuthorizer in your cassandra.yaml to enable.
  • Client-to-Node encryption : This protects your data in-flight between your client app and your cluster.
  • Node-to-Node encryption : This protects your data between the different nodes in your cluster.

At the very least, I recommend enabling internal authentication and authorization. SSL encryption is slightly more-complicated (although still a good idea to do), but may be required based on your corporate policies and sensitivity of your data. This is of course in-addition to applying the appropriate AWS security groups to your cluster.

solution3
 0  2017-08-30 16:37:41

It is better to have two security groups, one for Cassandra and one for application. The Cassandra nodes are assigned only the internal IP, no public IP, and limits the access to Cassandra port from the application security group only. This ensures only the application could access Cassandra.

You should also enable Cassandra Authentication and Authorization, follows the official security guide .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing the Raven Database Securing database connection strings Securing php to database comms Securing Database Content Securing database connection information Securing AWS RDS credentials for Lambda Securing a database from Java clients Securing client->database game Securing a database using web service Securing sqllite database in WPF application
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM