AWS Security ChangesHomeSearch

AWS glue medium security documentation change

Service: glue · 2025-05-01 · Security-related medium

File: glue/latest/dg/set-up-iam.md

Summary

Updated IAM policy configurations for AWS Glue to use customer-managed policies instead of inline policies, narrowed S3 permissions (removed wildcard actions like s3:Get*), added resource account conditions, and replaced references to broad AmazonS3FullAccess with more granular AWSGlueConsole-specific policies.

Security assessment

The changes enforce stricter permissions (reducing s3:Get*/List* to s3:GetObject) and add account-based resource conditions, directly addressing potential over-permission issues. This aligns with the principle of least privilege, mitigating risks of unintended S3 data exposure or modification.

Diff

diff --git a/glue/latest/dg/set-up-iam.md b/glue/latest/dg/set-up-iam.md
index 4093914cd..0e8195696 100644
--- a//glue/latest/dg/set-up-iam.md
+++ b//glue/latest/dg/set-up-iam.md
@@ -43 +43 @@ If you choose ... | AWS Glue attaches ...
-**Grant access to specific Amazon S3 locations (read only)** |  An inline policy embedded in your selected IAM identities. For more information, see [Inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies) in the IAM User Guide. AWS Glue names the policy using the following convention: `AWSGlueConsole`<Role/User>`InlinePolicy-read-specific-access-`<UUID>``. For example: `AWSGlueConsoleRoleInlinePolicy-read-specific-access-123456780123`. The following is an example of an inline policy that AWS Glue attaches to grant read-only access to a specified Amazon S3 location.
+**Grant access to specific Amazon S3 locations (read only)** |  The customer-managed policy, `AWSGlueConsole-S3-read-only-policy`, grants access to specific Amazon S3 locations with read-only permissions. 
@@ -51,2 +51 @@ If you choose ... | AWS Glue attaches ...
-                        "s3:Get*",
-                        "s3:List*"
+                        "s3:GetObject"
@@ -55,2 +54,10 @@ If you choose ... | AWS Glue attaches ...
-                        "arn:aws:s3:::amzn-s3-demo-bucket/*"
-                    ]
+                        "arn:aws:s3:::amzn-s3-demo-bucket1/*",
+                        "arn:aws:s3:::amzn-s3-demo-bucket2/*",
+                        "arn:aws:s3:::amzn-s3-demo-bucket3",
+                        "arn:aws:s3:::amzn-s3-demo-bucket"
+                    ],
+                    "Condition": {
+                        "StringEquals": {
+                            "aws:ResourceAccount":"0000000000"
+                        }
+                    }
@@ -61 +68 @@ If you choose ... | AWS Glue attaches ...
-**Grant access to specific Amazon S3 locations (read and write)** | An inline policy embedded in your selected IAM identities. For more information, see [Inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies) in the IAM User Guide.AWS Glue names the policy using the following convention: `AWSGlueConsole`<Role/User>`InlinePolicy-read -and-write-specific-access-`<UUID>``. For example: `AWSGlueConsoleRoleInlinePolicy-read-and-write-specific-access-123456780123`.The following is an example of an inline policy that AWS Glue attaches to grant read and write access to specified Amazon S3 locations.
+**Grant access to specific Amazon S3 locations (read and write)** |  The `AWSGlueConsole-S3-read-and-write-policy` grants access to specific Amazon S3 locations with read and write permissions. 
@@ -69,3 +76,2 @@ If you choose ... | AWS Glue attaches ...
-                        "s3:Get*",
-                        "s3:List*",
-                        "s3:*Object*"
+                        "s3:GetObject",
+                        "s3:PutObject"
@@ -74,3 +80,10 @@ If you choose ... | AWS Glue attaches ...
-                        "arn:aws:s3:::amzn-s3-demo-bucket1/*",
-                        "arn:aws:s3:::amzn-s3-demo-bucket2/*"
-                    ]
+                        "arn:aws:s3:::aes-siem-00000000000-log/*",
+                        "arn:aws:s3:::aes-siem-00000000000-snapshot/*",
+                        "arn:aws:s3:::aes-siem-00000000000-log",
+                        "arn:aws:s3:::aes-siem-00000000000-snapshot"
+                    ],
+                    "Condition": {
+                        "StringEquals": {
+                            "aws:ResourceAccount":"00000000000"
+                        }
+                    }
@@ -81,3 +93,0 @@ If you choose ... | AWS Glue attaches ...
-**Grant full access to Amazon S3 (read only)** | The `[AmazonS3ReadOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess)` managed IAM policy. To learn more, see [AWS managed policy: AmazonS3ReadOnlyAccess](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-amazons3readonlyaccess).  
-**Grant full access to Amazon S3 (read and write)** | The `[AmazonS3FullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonS3FullAccess)` managed IAM policy. To learn more, see [AWS managed policy: AmazonS3FullAccess](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-amazons3readonlyaccess).  
-  
@@ -92 +102,3 @@ If you choose ... | AWS Glue attaches ...
-       * [AmazonS3FullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonS3FullAccess) – This managed policy grants the required permissions to AWS Glue for complete read and write access to Amazon S3 resources. This broad access is often necessary because AWS Glue may need to interact with multiple Amazon S3 buckets and paths during its operations. For the purposes of getting started, we recommend using this policy to learn how to use AWS Glue. 
+       * [AWSGlueConsoleFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess) – This managed policy grants full access to the AWS Glue service through the AWS Management Console. This policy grants permissions to perform any operation within AWS Glue, enabling you to create, modify, and delete any AWS Glue resource as needed. However, it's important to note that this policy does not grant permissions to access the underlying data stores or other AWS services that may be involved in the ETL process. Due to the broad scope of permissions granted by the `AWSGlueConsoleFullAccess` policy, it should be assigned with caution and following the principle of least privilege. It is generally recommended to create and use more granular policies tailored to specific use cases and requirements whenever possible. 
+
+       * [ AWSGlueConsole-S3-read-only-policy](https://console.aws.amazon.com/iam/home#policies/details/arn:aws:iam:aws:policy/AWSGlueConsole-S3-read-only-policy) – This policy allows AWS Glue to read data from specified Amazon S3 buckets, but it does not grant permissions to write or modify data in Amazon S3 or 
@@ -94 +106 @@ If you choose ... | AWS Glue attaches ...
-While the `AmazonS3FullAccess` policy provides broad permissions, it's considered a best practice to follow the principle of least privilege and grant more restrictive permissions if possible. You can create a custom IAM policy that grants access only to the specific Amazon S3 buckets and paths required for your AWS Glue jobs, crawlers, and data sources. However, this approach requires more effort in managing and updating the policy as your AWS Glue usage evolves. 
+[ AWSGlueConsole-S3-read-and-write](https://console.aws.amazon.com/iam/home#policies/details/arn:aws:iam:aws:policy/AWSGlueConsole-S3-read-and-write) – This policy allows AWS Glue to read and write data to specified Amazon S3 buckets as part of the ETL process. 
@@ -96 +108 @@ While the `AmazonS3FullAccess` policy provides broad permissions, it's considere
-     * When you choose an existing IAM role, AWS Glue sets the role as the default, but doesn't add any permissions to it. Ensure that you've configured the role to use as a service role for AWS Glue. For more information, see [Step 1: Create an IAM policy for the AWS Glue service](./create-service-policy.html) and [Step 2: Create an IAM role for AWS Glue](./create-an-iam-role.html).
+     * When you choose an existing IAM role, AWS Glue sets the role as the default, but doesn't add `AWSGlueServiceRole` permissions to it. Ensure that you've configured the role to use as a service role for AWS Glue. For more information, see [Step 1: Create an IAM policy for the AWS Glue service](./create-service-policy.html) and [Step 2: Create an IAM role for AWS Glue](./create-an-iam-role.html).