Scylla Security Checklist¶
The Scylla Security checklist is a list of security recommendations that should be implemented to protect your Scylla cluster.
Authentication is a security step to verify the identity of a client. When enabled, Scylla requires all clients to authenticate themselves to determine their access to the cluster.
Role Base Access¶
Role Based Access Control (RBAC), a method of reducing lists of authorized users to a few roles assigned to multiple users. RBAC is sometimes referred to as role-based security. It is recommended to:
Encryption on Transit, Client to Node and Node to Node¶
Encryption on Transit protects your communication against a 3rd interception on the network connection. Configure Scylla to use TLS/SSL for all the connections. Use TLS/SSL to encrypt communication between Scylla nodes and client applications.
Encryption at Rest¶
Encryption at Rest is available in a Scylla Enterprise 2019.1.1.
Encryption at rest protects the privacy of your user’s data, reduces the risk of data breaches, and helps meet regulatory requirements. In particular, it provides an additional level of protection for your data persisted in storage or backup.
Reduce the Network Exposure¶
Ensure that Scylla runs in a trusted network environment. A best practice is to maintain a list of ports used by Scylla and to monitor them to ensure that only trusted clients access those network interfaces and ports. The diagram below shows a single datacenter cluster deployment, with the list of ports used for each connection type. You should periodically check to make sure that only these ports are open and that they are open to relevant IPs only. Most of the ports settings are configurable in the scylla.yaml file. Also, see the list of ports used by Scylla.
Scylla uses the following ports:
|9142||SSL CQL (secure client to node)||TCP|
|7000||Inter-node communication (RPC)||TCP|
|7001||SSL inter-node communication (RPC)||TCP|
|10000||Scylla REST API||TCP|
|9160||Scylla client port (Thrift)||TCP|
|10001||Scylla Manager Agent REST API *||TCP|
|5609||Scylla Manager Prometheus API||HTTP|
|56090||Scylla Manager Agent Prometheus API *||TCP|
* Available in Scylla Manager version 2.0 and higher
Audit System Activity¶
Using the auditing feature allows the administrator to know “who did / looked at / changed what and when.” It also allows logging some or all the activities a user performs on Scylla cluster.
- Update your cluster with latest Scylla version.
- Make sure to update your Operating System and libraries are up to date.