AWS entityresolution high security documentation change
Summary
Added detailed IAM policy with resource-based conditions for S3 and Glue access
Security assessment
The policy implements strict resource account validation and minimal required permissions, enhancing access control security for cross-account workflows.
Diff
diff --git a/entityresolution/latest/userguide/create-workflow-job-role.md b/entityresolution/latest/userguide/create-workflow-job-role.md index 4fadcd090..1826191d9 100644 --- a//entityresolution/latest/userguide/create-workflow-job-role.md +++ b//entityresolution/latest/userguide/create-workflow-job-role.md @@ -60,0 +61,68 @@ You don't need to grant AWS KMS permissions if your data sources aren't encrypte +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::{{input-buckets}}", + "arn:aws:s3:::{{input-buckets}}/*" + ], + "Condition": { + "StringEquals": { + "s3:ResourceAccount": [ + "444455556666" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::{{output-bucket}}", + "arn:aws:s3:::{{output-bucket}}/*" + ], + "Condition": { + "StringEquals": { + "s3:ResourceAccount": [ + "444455556666" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "glue:GetDatabase", + "glue:GetTable", + "glue:GetPartition", + "glue:GetPartitions", + "glue:GetSchema", + "glue:GetSchemaVersion", + "glue:BatchGetPartition" + ], + "Resource": [ + "arn:aws:glue:us-east-1:444455556666:database/{{input-databases}}", + "arn:aws:glue:us-east-1:444455556666:table/{{input-database}}/{{input-tables}}", + "arn:aws:glue:us-east-1:444455556666:catalog" + ] + } + ] + } + +