Scylla Security Checklist

The Scylla Security checklist is a list of security recommendations that should be implemented to protect your Scylla cluster.

Enable Authentication

Authentication is a security step to verify the identity of a client. When enabled, Scylla requires all clients to authenticate themselves to determine their access to the cluster.

Role Base Access

Role Based Access Control (RBAC), a method of reducing lists of authorized users to a few roles assigned to multiple users. RBAC is sometimes referred to as role-based security. It is recommended to:

  • Set roles per keyspace/table.
  • Use the principle of least privilege per keyspace/table. Start by granting no permissions to all roles, then grant read access only to roles who need it, write access to roles who need to write etc. It’s better to have more roles, each with fewer permissions.

Encryption on Transit, Client to Node and Node to Node

Encryption on Transit protects your communication against a 3rd interception on the network connection. Configure Scylla to use TLS/SSL for all the connections. Use TLS/SSL to encrypt communication between Scylla nodes and client applications.

See:

Reduce the Network Exposure

Ensure that Scylla runs in a trusted network environment. Make sure that only trusted clients access the network interfaces and ports on which Scylla uses. List of ports used by Scylla.

Audit System Activity

Using the auditing feature allows the administrator to know “who did / looked at / changed what and when.” It also allows logging some or all the activities a user performs on Scylla cluster.

General Recommendations

  • Update your cluster with latest Scylla version.
  • Make sure to update your Operating System and libraries are up to date.