AWS quick medium security documentation change
Summary
Removed detailed cross-account access configuration steps, IAM policies, KMS encryption setup, and VPC security requirements. Added administrator-focused note about granting bucket access. Restructured content to separate data ingestion from action connectors.
Security assessment
The diff removes critical security configuration details including IAM policies, KMS key permissions, VPC endpoint requirements, and cross-account access safeguards. This could indicate reduced emphasis on security best practices in documentation. However, the addition of a requirement for administrators to grant bucket access via referenced documentation shows continued security awareness. The removal of explicit security controls without clear migration path to equivalent documentation creates potential for misconfiguration risks.
Diff
diff --git a/quick/latest/userguide/s3-integration.md b/quick/latest/userguide/s3-integration.md index 661b05aab..f19d2e539 100644 --- a//quick/latest/userguide/s3-integration.md +++ b//quick/latest/userguide/s3-integration.md @@ -5 +5 @@ -What you can doBefore you beginEnable cross-account access (administrators only)Prepare IAM role and policy setupConfigure VPC access for Amazon S3 Connector in Amazon QuickSet up Amazon S3 integrationManage knowledge basesAdding document metadata in Amazon S3Troubleshooting Amazon S3 integration issuesLimitations +What you can doBefore you begin @@ -9 +9 @@ What you can doBefore you beginEnable cross-account access (administrators only) -With Amazon S3 integration in Amazon Quick, you can create knowledge bases from documents stored in S3 buckets. This integration supports data ingestion capabilities for indexing and searching S3 content. Amazon S3 actions are only supported for Quick Automate. +With Amazon S3 integration in Amazon Quick, you can create knowledge bases from documents stored in S3 buckets. This integration supports data ingestion capabilities for indexing and searching S3 content. @@ -11 +11 @@ With Amazon S3 integration in Amazon Quick, you can create knowledge bases from -Amazon Quick supports source attribution with citations. If you specify the _source_uri metadata field when you add metadata to your Amazon S3 bucket, the source attribution links returned by Amazon Quick in the chat results will direct users to the configured URL. If you don't specify a _source_uri, users can still access the source documents through clickable citation links that will download the file at query time. This allows users to verify information even when no source URI is configured. To learn how to add metadata for your Amazon S3 connector, see Adding document metadata in Amazon S3. +###### Note @@ -13 +13 @@ Amazon Quick supports source attribution with citations. If you specify the _sou -## What you can do +This guide covers Amazon S3 data ingestion integration for knowledge base creation. For Amazon S3 action connectors that perform Amazon S3 operations such as uploading, downloading, and deleting files, see [AWS service action connectors](./builtin-services-integration.html). Amazon S3 actions are only supported for Quick Automate. @@ -15 +15 @@ Amazon Quick supports source attribution with citations. If you specify the _sou -Amazon S3 users can ask questions about content stored in their Amazon S3 buckets. For example, users can inquire about key findings from documents, search for specific information across multiple file types, or analyze data patterns. The integration enables users to quickly access and understand information from their Amazon S3 content, regardless of file location or type, while providing contextual details such as modification dates, and file metadata —all contributing to more efficient information discovery and better-informed decision making. +## What you can do @@ -17 +17 @@ Amazon S3 users can ask questions about content stored in their Amazon S3 bucket -###### Note +Amazon S3 users can ask questions about content stored in their Amazon S3 buckets. For example, users can inquire about key findings from documents, search for specific information across multiple file types, or analyze data patterns. @@ -19 +19 @@ Amazon S3 users can ask questions about content stored in their Amazon S3 bucket -This guide covers Amazon S3 data ingestion integration for knowledge base creation. For Amazon S3 action connectors that perform Amazon S3 operations (upload, download, delete files), these must be created through the admin console. For more information, see [AWS service action connectors](./builtin-services-integration.html). +The integration enables users to quickly access and understand information from their Amazon S3 content, regardless of file location or type. It also provides contextual details such as modification dates and file metadata, contributing to more efficient information discovery and better-informed decision making. @@ -32,0 +33 @@ Before you set up Amazon S3 integration, make sure you have the following: + * Your administrator must grant Amazon Quick access to the Amazon S3 buckets you want to use. For more information, see [Grant Amazon Quick access to Amazon S3 buckets](./s3-admin-setup.html#s3-grant-bucket-access). @@ -36,225 +36,0 @@ Before you set up Amazon S3 integration, make sure you have the following: -If you need to access Amazon S3 buckets in a different AWS account, verify that cross-account access has been enabled by your administrator. - -###### Note - -Cross-account Amazon S3 access is only supported within the same AWS region. - -## Enable cross-account access (administrators only) - -If you need to enable cross-account Amazon S3 access for your organization, complete the following steps. - -###### To enable cross-account Amazon S3 access - - 1. Open the Amazon Quick Admin console. - - 2. Choose **AWS resource page** , and then choose **Amazon S3 configuration**. - - 3. Select **Choose accessible buckets from other AWS accounts**. - - - - -## Prepare IAM role and policy setup - -Before setting up the integration in Amazon Quick, prepare your IAM role and policy configuration. Amazon S3 integration uses AWS authentication to access your Amazon S3 buckets. - -### Required IAM permissions - -Make sure your AWS account has the following minimum permissions for the Amazon S3 bucket: - - * `s3:GetObject` \- Read objects from the bucket. - - * `s3:ListBucket` \- List bucket contents. - - * `s3:GetBucketLocation` \- Get bucket region information. - - * `s3:GetObjectVersion` \- Get object versions. - - * `s3:ListBucketVersions` \- List bucket versions. - - - - -### Configure Amazon S3 bucket permissions for cross-account access - -If you're accessing Amazon S3 buckets in a different AWS account, you must configure IAM policies in the source AWS account. - -###### To configure Amazon S3 bucket permissions for cross-account access - - 1. Sign in to the AWS Management Console for the account that contains the Amazon S3 bucket. - - 2. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). - - 3. Choose the bucket that you want to grant access to. - - 4. Choose **Permissions** , and then choose **Bucket Policy**. - - 5. Add a bucket policy with the following elements: - - * `Version` – Set to "2012-10-17" - - * `Statement` – Array containing policy statements with: - - * `Sid` – "AllowQuickSuiteS3Access" - - * `Effect` – "Allow" - - * `Principal` – AWS ARN for the Amazon Quick service role in your account. For example, the principal should look like this:` "Principal": { "AWS": "arn:aws:iam::<quick_account_id>:role/service-role/aws-quicksight-service-role-v0" }` - - * `Action` – Array of Amazon S3 permissions: s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:ListBucketVersions - - * `Resource` – "*" (applies to the current key), the Amazon S3 bucket path should look like the following: `"Resource": [ "arn:aws:s3:::bucket_name"]` - - 6. Choose **Save changes**. - - - - -### Configure KMS key permissions (if your bucket uses encryption) - -If your Amazon S3 bucket uses AWS KMS encryption, complete the following steps. - - 1. Open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). - - 2. Choose the KMS key that is used to encrypt your Amazon S3 bucket. - - 3. Choose **Key policy** , and then choose **Edit**. - - 4. Add a statement to the key policy with the following structural elements: - - * `Sid` – "AllowQuickSuiteKMSAccess" - - * `Effect` – "Allow" - - * `Principal` – AWS ARN for the Amazon Quick service role in your account. For example, the principal should look like this:` "Principal": { "AWS": "arn:aws:iam::<quick_account_id>:role/service-role/aws-quicksight-service-role-v0" }` - - * `Action` – Array of KMS permissions: kms:Decrypt, kms:DescribeKey - - * `Resource` – "*" (applies to the current key), the Amazon S3 bucket path should look like the following: `"Resource": [ "arn:aws:s3:::bucket_name"]` - - 5. Choose **Save changes**. - - 6. Wait 2-3 minutes for the policy changes to propagate. - - - - -During the integration setup, you will need to: - - * Verify the connection and bucket access. - - - - -## Configure VPC access for Amazon S3 Connector in Amazon Quick - -VPC permissions ensure Amazon Quick can only access your Amazon S3 bucket through secure VPC or VPC endpoint connections. - -### Required policy change - -Add this statement to your bucket access policy to allow Amazon Quick to access your bucket through VPC endpoints: - - - { - "Sid": "Allow-Quick-access" , - "Principal": "arn:aws:iam::Quick Account:role/service-role/aws-quicksight-service-role-v0", - "Action": "s3:*", - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket", - "arn:aws:s3:::amzn-s3-demo-bucket/*" - ], - "Condition": { - "Null": { - "aws:SourceVpce": "false" - } - } - } - - * Replace `amzn-s3-demo-bucket` with your bucket name. - - * Replace `Quick Account` with your Amazon Quick account. - - - - -The `"aws:SourceVpce": "false"` condition ensures Amazon Quick can only access your bucket through VPC endpoints, maintaining your security requirements. - -### Deny policies - -If your bucket has a policy that restricts traffic to a specific VPC or VPC endpoint via Deny Policy, this policy needs to be reversed because deny policies take precedence over allow policies. - -For example: - - - { - "Version":"2012-10-17" , - "Id": "Policy1415115909152", - "Statement": [ - { - "Sid": "Access-to-specific-VPCE-only", - "Principal": "*", - "Action": "s3:*", - "Effect": "Deny", - "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket", - "arn:aws:s3:::amzn-s3-demo-bucket/*"], - "Condition": { - "StringNotEquals": { - "aws:SourceVpce": "vpce-0abcdef1234567890" - } - } - } - ]