---
title: "Security Practices"
description: "Recommended security practices for Aerospike Cloud account members, database users, and VPC peering connectivity."
---

# Security Practices

> For the complete documentation index see: [llms.txt](https://aerospike.com/docs/llms.txt)
> 
> All documentation pages available in markdown.

There are two types of distinct and limited _access_ in Aerospike Cloud:

-   Aerospike Cloud account members:
    
    -   Can access management tools through the [Cloud Console](https://console.aerospike.com/) or public applications
    -   Are limited to the Console and APIs inside the Aerospike Cloud organization.
    -   Have broad powers to administer databases, create API keys for public API access, and manage Aerospike Cloud database users
-   Aerospike Database users:
    
    -   Can access an Aerospike database running in the cloud using database credentials
    -   May be granted specific [roles](https://aerospike.com/docs/cloud/manage/database-users) that enable access to manipulate the database
    -   Can not create other database users

## Best Practices

Aerospike Cloud supports VPC peering connectivity. The database and its endpoints are available through a VPC peering connection.

### Best practices for Aerospike Cloud account members

-   Limit access to your account to a small number of trusted administrators
-   Consider using multiple accounts to separate concerns in large organizations

### Best practices for Aerospike Cloud database users

-   Scope roles to the minimal needed permission set using the principle of least privilege
-   Choose secure passwords
-   Periodically rotate passwords or users
-   Use VPC peering connections to your database

#### Connecting to your cluster with VPC peering

VPC peering connections in AWS are managed over a private network with encrypted traffic. With VPC peering the Aerospike Database cluster and associated node addresses and metrics endpoints are only available through a controlled connection. You can read about them in AWS’s [VPC peering documentation](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html).

Aerospike Cloud supports disabling TLS encryption between VPCs but this is not a recommended practice. See [Configure AWS VPC peering](https://aerospike.com/docs/cloud/manage/vpc-peering) for information about configuring a connection.