AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-09-19 · Documentation low

File: AmazonS3/latest/userguide/s3-tables-integrating-firehose.md

Summary

Added detailed IAM policy JSON example for Firehose integration permissions including Glue, S3 error bucket, Kinesis, Lake Formation, KMS encryption, logging, and Lambda access

Security assessment

The change adds documentation about required IAM permissions for secure integration patterns but does not address a specific security vulnerability. It demonstrates security best practices for service roles.

Diff

diff --git a/AmazonS3/latest/userguide/s3-tables-integrating-firehose.md b/AmazonS3/latest/userguide/s3-tables-integrating-firehose.md
index b54aee082..baff19fa3 100644
--- a//AmazonS3/latest/userguide/s3-tables-integrating-firehose.md
+++ b//AmazonS3/latest/userguide/s3-tables-integrating-firehose.md
@@ -35,0 +36,104 @@ Firehose needs an IAM [service role](https://docs.aws.amazon.com/IAM/latest/User
+JSON
+    
+
+****
+    
+    
+        {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "S3TableAccessViaGlueFederation",
+                "Effect": "Allow",
+                "Action": [
+                    "glue:GetTable",
+                    "glue:GetDatabase",
+                    "glue:UpdateTable"
+                ],
+                "Resource": [
+                    "arn:aws:glue:us-east-1:111122223333:catalog/s3tablescatalog/*",
+                    "arn:aws:glue:us-east-1:111122223333:catalog/s3tablescatalog",
+                    "arn:aws:glue:us-east-1:111122223333:catalog",
+                    "arn:aws:glue:us-east-1:111122223333:database/*",
+                    "arn:aws:glue:us-east-1:111122223333:table/*/*"
+                ]
+            },
+            {
+                "Sid": "S3DeliveryErrorBucketPermission",
+                "Effect": "Allow",
+                "Action": [
+                    "s3:AbortMultipartUpload",
+                    "s3:GetBucketLocation",
+                    "s3:GetObject",
+                    "s3:ListBucket",
+                    "s3:ListBucketMultipartUploads",
+                    "s3:PutObject"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::error delivery bucket",
+                    "arn:aws:s3:::error delivery bucket/*"
+                ]
+            },
+            {
+                "Sid": "RequiredWhenUsingKinesisDataStreamsAsSource",
+                "Effect": "Allow",
+                "Action": [
+                    "kinesis:DescribeStream",
+                    "kinesis:GetShardIterator",
+                    "kinesis:GetRecords",
+                    "kinesis:ListShards"
+                ],
+                "Resource": "arn:aws:kinesis:us-east-1:111122223333:stream/stream-name"
+            },
+            {
+                "Sid": "RequiredWhenDoingMetadataReadsANDDataAndMetadataWriteViaLakeformation",
+                "Effect": "Allow",
+                "Action": [
+                    "lakeformation:GetDataAccess"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "RequiredWhenUsingKMSEncryptionForS3ErrorBucketDelivery",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:Decrypt",
+                    "kms:GenerateDataKey"
+                ],
+                "Resource": [
+                    "arn:aws:kms:us-east-1:111122223333:key/KMS-key-id"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "kms:ViaService": "s3.us-east-1.amazonaws.com"
+                    },
+                    "StringLike": {
+                        "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::error delivery bucket/prefix*"
+                    }
+                }
+            },
+            {
+                "Sid": "LoggingInCloudWatch",
+                "Effect": "Allow",
+                "Action": [
+                    "logs:PutLogEvents"
+                ],
+                "Resource": [
+                    "arn:aws:logs:us-east-1:111122223333:log-group:log-group-name:log-stream:log-stream-name"
+                ]
+            },
+            {
+                "Sid": "RequiredWhenAttachingLambdaToFirehose",
+                "Effect": "Allow",
+                "Action": [
+                    "lambda:InvokeFunction",
+                    "lambda:GetFunctionConfiguration"
+                ],
+                "Resource": [
+                    "arn:aws:lambda:us-east-1:111122223333:function:function-name:function-version"
+                ]
+            }
+        ]
+    }
+    
+