AWS AmazonS3 documentation change
Summary
Added documentation for the new AWS managed policy 'AmazonS3TablesLakeFormationServiceRole', including KMS permissions for encrypted tables.
Security assessment
The change introduces documentation for a policy granting Lake Formation access to S3 Tables with KMS encryption permissions. While this relates to security features (IAM policies and encryption), there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/AmazonS3/latest/userguide/s3-tables-security-iam-awsmanpol.md b/AmazonS3/latest/userguide/s3-tables-security-iam-awsmanpol.md index 33230f3cf..5a0e0c2f1 100644 --- a//AmazonS3/latest/userguide/s3-tables-security-iam-awsmanpol.md +++ b//AmazonS3/latest/userguide/s3-tables-security-iam-awsmanpol.md @@ -5 +5 @@ -AmazonS3TablesFullAccessAmazonS3TablesReadOnlyAccessPolicy updates +AmazonS3TablesFullAccessAmazonS3TablesReadOnlyAccessAmazonS3TablesLakeFormationServiceRolePolicy updates @@ -54,0 +55,96 @@ You can attach the `AmazonS3TablesReadOnlyAccess` policy to your IAM identities. + +## AWS managed policy: AmazonS3TablesLakeFormationServiceRole + +You can attach the `AmazonS3TablesLakeFormationServiceRole` policy to your IAM identities. This policy grants permissions that allow the AWS Lake Formation service role access to S3 Tables. AWS KMS permissions are used to allow Lake Formation to access encrypted tables. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "PermissionsForS3ListTableBuckets", + "Effect": "Allow", + "Action": [ + "s3tables:ListTableBuckets" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "111122223333" + } + } + }, + { + "Sid": "DataAccessPermissionsForS3TablesResources", + "Effect": "Allow", + "Action": [ + "s3tables:CreateTableBucket", + "s3tables:GetTableBucket", + "s3tables:CreateNamespace", + "s3tables:GetNamespace", + "s3tables:ListNamespaces", + "s3tables:DeleteNamespace", + "s3tables:DeleteTableBucket", + "s3tables:CreateTable", + "s3tables:DeleteTable", + "s3tables:GetTable", + "s3tables:ListTables", + "s3tables:RenameTable", + "s3tables:UpdateTableMetadataLocation", + "s3tables:GetTableMetadataLocation", + "s3tables:GetTableData", + "s3tables:PutTableData" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "111122223333" + } + } + }, + { + "Sid": "KMSDataAccessPermissionsForS3TablesResources", + "Effect": "Allow", + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "s3.*.amazonaws.com" + ], + "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3tables:*:*:bucket/*/table/*" + }, + "StringEquals": { + "aws:ResourceAccount": "111122223333" + } + } + }, + { + "Sid": "KMSDescribeKeyAccessPermissionsForS3TablesResources", + "Effect": "Allow", + "Action": [ + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "s3tables.*.amazonaws.com" + ] + }, + "StringEquals": { + "aws:ResourceAccount": "111122223333" + } + } + } + ] + } + + @@ -60,0 +157 @@ Change | Description | Date +Amazon S3 Tables added `AmazonS3TablesLakeFormationServiceRole`. | S3 Tables added a new AWS-managed policy called `AmazonS3TablesLakeFormationServiceRole`. This policy grants permissions that allows the Lake Formation service role access to S3 Tables. | May 19, 2025