AWS glue documentation change
Summary
Updated AWS KMS encryption documentation, added S3:GetObject permission to policy example, removed references to dual KMS keys and service metadata encryption customization.
Security assessment
The changes clarify required permissions (adding s3:GetObject) and streamline encryption configuration details. While encryption-related, there is no evidence of addressing a specific security vulnerability. The removal of service metadata encryption options may impact security configurations but is not tied to a disclosed issue.
Diff
diff --git a/glue/latest/dg/upgrade-analysis.md b/glue/latest/dg/upgrade-analysis.md index f32fc0b1c..5ec120ef5 100644 --- a//glue/latest/dg/upgrade-analysis.md +++ b//glue/latest/dg/upgrade-analysis.md @@ -30 +30 @@ The following prerequisites are required to use generative AI to upgrade jobs in - * If using AWS KMS to either encrypt analysis artifacts or service to encrypt the data used for analysis, then additional AWS KMS permissions are needed. For more information, see the examples in the AWS KMS policy section below. + * If using AWS KMS to encrypt analysis artifacts, then additional AWS AWS KMS permissions are needed. For more information, see the examples in the AWS KMS policy section below. @@ -63 +63,5 @@ The following prerequisites are required to use generative AI to upgrade jobs in - "Action": ["s3:PutObject"], + "Action": [ + "s3:PutObject", + "s3:GetObject" + + ], @@ -79,4 +82,0 @@ The following prerequisites are required to use generative AI to upgrade jobs in -###### Note - -If you're using two different AWS KMS keys, one for result artifacts encryption and other for service metadata encryption, then the policy needs to include similar policy for both keys. - @@ -207,42 +206,0 @@ To pass your own custom AWS KMS key when starting an analysis, please refer to t -You need permission (encrypt/decrypt) to pass the key. In the policy example below, the AWS account or role specified by the `<IAM Customer caller ARN>` is allowed to perform the permitted actions: - - * **kms:Decrypt** allows decryption using the specified AWS KMS key. - - * **kms:GenerateDataKey** allows generating a data key using the specified AWS KMS key. - - - - - - { - "Effect": "Allow", - "Principal":{ - "AWS": "<IAM Customer caller ARN>" - }, - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey", - ], - "Resource": "<key-arn-passed-on-start-api>" - } - -You need to give permission to AWS Glue to use the AWS KMS key for both encryption and decryption of the key. - - - { - "Effect": "Allow", - "Principal":{ - "Service": "glue.amazonaws.com" - }, - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey", - ], - "Resource": "<key-arn>", - "Condition": { - "StringLike": { - "aws:SourceArn": "arn:aws:glue:<region>:<aws_account_id>:job/job-name" - } - } - } - @@ -296,2 +253,0 @@ By leveraging the run configuration, you can tailor the validation runs to suit - * **Customize service metadata encryption** : Your service metadata is encrypted by default using AWS owned keys. Choose this option if you want to use your own key for encryption. -