AWS AmazonS3 documentation change
Summary
Added required KMS permissions and service principal access for SSE-KMS encrypted S3 Tables
Security assessment
Documents necessary permissions for encryption key management but does not indicate a resolved security vulnerability. Improves clarity for secure configuration.
Diff
diff --git a/AmazonS3/latest/userguide/metadata-tables-permissions.md b/AmazonS3/latest/userguide/metadata-tables-permissions.md index 475e01a63..7b5e275d7 100644 --- a//AmazonS3/latest/userguide/metadata-tables-permissions.md +++ b//AmazonS3/latest/userguide/metadata-tables-permissions.md @@ -37 +37,6 @@ For detailed information about all table and table bucket permissions, see [Acce -If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see [ Integrating Amazon S3 Tables with AWS analytics services](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html). + * If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see [ Integrating Amazon S3 Tables with AWS analytics services](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html). + + * If your table bucket is using server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) you also need `kms:GenerateDataKey` and `kms:Decrypt` permissions. Additionally you need to grant permission for the `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com` service principals to access your KMS key. For more information, see [ Granting the S3 Metadata service principal permissions to use your KMS key ](./s3-tables-kms-permissions.html#tables-kms-metadata-permissions). + + +