AWS clean-rooms documentation change
Summary
Removed documentation sections for creating PySpark-related service roles (reading code from S3 and writing job results)
Security assessment
The changes remove documentation about specific PySpark analysis template roles but provide no evidence of addressing security vulnerabilities. This appears to be feature deprecation or simplification rather than security remediation.
Diff
diff --git a/clean-rooms/latest/userguide/setting-up-roles.md b/clean-rooms/latest/userguide/setting-up-roles.md index 7f7e3477c..e2d8a59aa 100644 --- a/clean-rooms/latest/userguide/setting-up-roles.md +++ b/clean-rooms/latest/userguide/setting-up-roles.md @@ -5 +5 @@ -Create an administrator userCreate an IAM role for a collaboration memberCreate a service role to read data from Amazon S3Create a service role to read data from Amazon AthenaCreate a service role to read data from SnowflakeCreate a service role to read code from an S3 bucket (PySpark analysis template role)Create a service role to write results of a PySpark jobCreate a service role to receive results +Create an administrator userCreate an IAM role for a collaboration memberCreate a service role to read data from Amazon S3Create a service role to read data from Amazon AthenaCreate a service role to read data from SnowflakeCreate a service role to receive results @@ -21,4 +20,0 @@ Create an administrator userCreate an IAM role for a collaboration memberCreate - * Create a service role to read code from an S3 bucket (PySpark analysis template role) - - * Create a service role to write results of a PySpark job - @@ -57 +52,0 @@ Query | [AWS managed policy: AWSCleanRoomsFullAccess](./security-iam-awsmanpol.h -Query and run jobs | [AWS managed policy: AWSCleanRoomsFullAccess](./security-iam-awsmanpol.html#security-iam-awsmanpol-fullaccess) @@ -448,178 +442,0 @@ If you want to help ensure that the role is used only in the context of a certai -## Create a service role to read code from an S3 bucket (PySpark analysis template role) - -AWS Clean Rooms uses a service role to read code from a collaboration member's specified S3 bucket when using a PySpark analysis template. - -###### To create a service role to read code from an S3 bucket - - 1. Create a role using custom trust policies. For more information, see the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure in the _AWS Identity and Access Management User Guide_. - - 2. Use the following custom trust policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "cleanrooms.amazonaws.com" - }, - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:ArnEquals": { - "aws:SourceArn": [ - "arn:aws:cleanrooms:region:jobRunnerAccountId:membership/jobRunnerMembershipId", - "arn:aws:cleanrooms:region:analysisTemplateAccountId:membership/analysisTemplateOwnerMembershipId" - ] - } - } - } - ] - } - - 3. Use the following permissions policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure. - -###### Note - -The following example policy supports the permissions needed to read your code from Amazon S3. However, you might need to modify this policy depending on how you've set up your S3 data. - -Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion" - ], - "Resource": ["arn:aws:s3:::s3Path"], - "Condition":{ - "StringEquals":{ - "s3:ResourceAccount":[ - "s3BucketOwnerAccountId" - ] - } - } - } - ] - } - - 4. Replace each `placeholder` with your own information: - - * `s3Path` – The S3 bucket location of your code. - - * `s3BucketOwnerAccountId` – The AWS account ID of the S3 bucket owner. - - * `region` – The name of the AWS Region. For example, `us-east-1`. - - * `jobRunnerAccountId` – The AWS account ID of the member who can run queries and jobs. - - * `jobRunnerMembershipId` – The **Membership ID** of the member who can query and run jobs. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration. - - * `analysisTemplateAccountId` – The AWS account ID of the analysis template. - - * `analysisTemplateOwnerMembershipId` – The **Membership ID** of the member who owns the analysis template. The **Membership ID** can be found on the **Details** tab of the collaboration. - - 5. Continue to follow the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure to create the role. - - - - -## Create a service role to write results of a PySpark job - -AWS Clean Rooms uses a service role to write the results of a PySpark job to a specified S3 bucket. - -###### To create a service role to write results of a PySpark job - - 1. Create a role using custom trust policies. For more information, see the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure in the _AWS Identity and Access Management User Guide_. - - 2. Use the following custom trust policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "cleanrooms.amazonaws.com" - }, - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:ArnEquals": { - "aws:SourceArn": [ - "arn:aws:cleanrooms:region:jobRunnerAccountId:membership/jobRunnerMembershipId", - "arn:aws:cleanrooms:region:rrAccountId:membership/rrMembershipId" - ] - } - } - } - ] - } - - 3. Use the following permissions policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure. - -###### Note - -The following example policy supports the permissions needed to write to Amazon S3. However, you might need to modify this policy depending on how you've set up S3. - -Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:PutObject" - ], - "Resource": "arn:aws:s3:::bucket/optionalPrefix/*", - "Condition":{ - "StringEquals":{ - "s3:ResourceAccount":[ - "s3BucketOwnerAccountId" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:ListBucket" - ], - "Resource": "arn:aws:s3:::bucket/optionalPrefix/*", - "Condition":{ - "StringEquals":{ - "s3:ResourceAccount":[ - "s3BucketOwnerAccountId" - ] - } - } - } - ] - } - - 4. Replace each `placeholder` with your own information: - - * `region` – The name of the AWS Region. For example, `us-east-1`. - - * `jobRunnerAccountId` – The AWS account ID in which the S3 bucket is located. - - * `jobRunnerMembershipId` – The **Membership ID** of the member who can query and run jobs. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration. - - * `rrAccountId` – The AWS account ID in which the S3 bucket is located. - - * `rrMembershipId` – The **Membership ID** of the member who can receive results. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration. - - * `bucket` – The name and location of the S3 bucket. - - * `optionalPrefix` – An optional prefix if you want to save your results under a specific S3 prefix. - - * `s3BucketOwnerAccountId` – The AWS account ID of the S3 bucket owner. - - 5. Continue to follow the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure to create the role. - - - -