AWS lake-formation documentation change
Summary
Updated KMS key policy instructions and added explicit S3 bucket policy example for cross-account access
Security assessment
The change adds a detailed S3 bucket policy example demonstrating proper permissions configuration for cross-account access. While this improves security documentation clarity, there is no evidence it addresses a specific vulnerability. The modifications to placeholder formatting (removing <cmk-region> brackets) are editorial improvements.
Diff
diff --git a/lake-formation/latest/dg/register-cross-encrypted.md b/lake-formation/latest/dg/register-cross-encrypted.md index 587ae41b7..3dbc312f7 100644 --- a//lake-formation/latest/dg/register-cross-encrypted.md +++ b//lake-formation/latest/dg/register-cross-encrypted.md @@ -53 +53 @@ Review the [requirements for the role used to register the location](./registrat - 3. If the KMS key is not in the same account as the Data Catalog, add to the role an inline policy that grants the required permissions on the KMS key. The following is an example policy. Replace `<cmk-region>` and `<cmk-account-id>` with the region and account number of the KMS key. Replace `<key-id>` with the key ID. + 3. If the KMS key is not in the same account as the Data Catalog, add to the role an inline policy that grants the required permissions on the KMS key. The following is an example policy. Replace Region and account ID with the region and account number of the KMS key. Replace `<key-id>` with the key ID. @@ -79 +79,34 @@ JSON - 4. On the Amazon S3 console, add a bucket policy granting the required Amazon S3 permissions to the role. The following is an example bucket policy. Replace `<catalog-account-id>` with the AWS account number of the Data Catalog, `<role-name>` with the name of your role, and `<bucket-name>` with the name of the bucket. + 4. On the Amazon S3 console, add a bucket policy granting the required Amazon S3 permissions to the role. The following is an example bucket policy. Replace the account ID with the AWS account number of the Data Catalog, `<role-name>` with the name of your role, and `<bucket-name>` with the name of the bucket. + +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect":"Allow", + "Principal": { + "AWS":"arn:aws:iam::111122223333:role/<role-name>" + }, + "Action":"s3:ListBucket", + "Resource":"arn:aws:s3:::<bucket-name>" + }, + { + "Effect":"Allow", + "Principal": { + "AWS":"arn:aws:iam::111122223333:role/<role-name>" + }, + "Action": [ + "s3:DeleteObject", + "s3:GetObject", + "s3:PutObject" + ], + "Resource":"arn:aws:s3:::<bucket-name>/*" + } + ] + } +