AWS lake-formation medium security documentation change
Summary
Removed detailed Python code example for glue:PutResourcePolicy and added security note about granting minimum permissions
Security assessment
Added explicit guidance to grant minimum permissions required for cross-account access, which directly relates to security best practices for access control. The removal of code example reduces potential for over-permissive policies being copy-pasted.
Diff
diff --git a/lake-formation/latest/dg/hybrid-cross-account.md b/lake-formation/latest/dg/hybrid-cross-account.md index f06bffa00..f827ec2b3 100644 --- a//lake-formation/latest/dg/hybrid-cross-account.md +++ b//lake-formation/latest/dg/hybrid-cross-account.md @@ -25,34 +25 @@ If your account (grantor account or producer account) has made no cross-account - * When you save the resource policy using the `glue:PutResourcePolicy` API operation, you must set the `EnableHybrid` field to '`TRUE`' (type = string). The following code example shows how to do this in Python. - - import boto3 - import json - - REGION = 'us-east-2' - PRODUCER_ACCOUNT_ID = '123456789012' - CONSUMER_ACCOUNT_IDs = ['111122223333'] - - glue = glue_client = boto3.client('glue') - - policy = { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Cataloguers", - "Effect": "Allow", - "Action": [ - "glue:*" - ], - "Principal": { - "AWS": CONSUMER_ACCOUNT_IDs - }, - "Resource": [ - f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:catalog", - f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:database/*", - f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:table/*/*" - ] - } - ] - } - - policy = json.dumps(policy) - glue.put_resource_policy(PolicyInJson=policy, EnableHybrid='TRUE') + * When you save the resource policy using the `glue:PutResourcePolicy` API operation, you must set the `EnableHybrid` field to '`TRUE`' (type = string). @@ -59,0 +27,5 @@ If your account (grantor account or producer account) has made no cross-account +To update an existing resource policy, use the `glue:GetResourcePolicy` API operation to retrieve your current policy first, then modify it as needed before calling `glue:PutResourcePolicy`. + +###### Note + +When creating AWS Glue resource policies for cross-account access, grant only the minimum permissions required for your specific use case.