AWS AmazonS3 documentation change
Summary
Updated documentation to clarify KMS permissions requirements when using Lake Formation for access control. Added new section about Lake Formation service role permissions, removed outdated references to direct access methods, and restructured policy examples.
Security assessment
The changes primarily update encryption key management requirements for Lake Formation integration but do not address any specific vulnerability. Adds security documentation about configuring KMS permissions for Lake Formation service roles, which is a security feature implementation guidance.
Diff
diff --git a/AmazonS3/latest/userguide/s3-tables-kms-permissions.md b/AmazonS3/latest/userguide/s3-tables-kms-permissions.md index 9859aac38..e068a60d9 100644 --- a//AmazonS3/latest/userguide/s3-tables-kms-permissions.md +++ b//AmazonS3/latest/userguide/s3-tables-kms-permissions.md @@ -5 +5 @@ -Granting the S3 Tables maintenance service principal permissions to your KMS keyGranting IAM principals permissions to work with encrypted tables in integrated AWS analytics servicesGranting IAM principals permissions to work with encrypted tables directlyGranting the S3 Metadata service principal permissions to use your KMS key +Granting the S3 Tables maintenance service principal permissions to your KMS keyGranting IAM principals permissions to work with encrypted tables in integrated AWS analytics servicesGranting IAM principals permissions to work with encrypted tables when Lake Formation is enabledGranting the S3 Metadata service principal permissions to use your KMS key @@ -32 +32 @@ These additional permissions are required depending on your use case: - * **Permissions for the AWS analytics services integration** – If you work with SSE-KMS encrypted tables in AWS analytics services, your integration role needs permission to use your KMS key. + * **Permissions for AWS analytics services and direct access** – If you work with SSE-KMS encrypted tables through AWS analytics services or third-party engines accessing S3 tables directly, the IAM role you use needs permission to use your KMS key. @@ -34 +34 @@ These additional permissions are required depending on your use case: - * **Permissions for direct access** – If you work with SSE-KMS encrypted tables directly, through methods such as the Amazon S3 Tables Iceberg REST endpoint or Amazon S3 Tables Catalog for Apache Iceberg, you need to grant the IAM role your client uses access your key. + * **Permissions with Lake Formation enabled** – If you have opted in to AWS Lake Formation for access control, the Lake Formation service role needs permission to use your KMS key. @@ -51 +51 @@ For cross-account KMS keys, your IAM role needs both key access permission and e - * Granting IAM principals permissions to work with encrypted tables directly + * Granting IAM principals permissions to work with encrypted tables when Lake Formation is enabled @@ -101 +101 @@ JSON -To work with S3 tables in AWS analytics services, you integrate your table buckets with Amazon SageMaker Lakehouse. This integration allows AWS analytics services to automatically discover and access table data. For more information on the integration, see [Integrating Amazon S3 Tables with AWS analytics services](./s3-tables-integrating-aws.html). +To work with S3 tables in AWS analytics services, you integrate your table buckets with AWS Glue Data Catalog. This integration allows AWS analytics services to automatically discover and access table data. For more information on the integration, see [Integrating Amazon S3 Tables with AWS analytics services](./s3-tables-integrating-aws.html). @@ -103 +103 @@ To work with S3 tables in AWS analytics services, you integrate your table bucke -When you work with SSE-KMS encrypted tables in those services, the role you use needs to have permission to use your AWS KMS key for encryption operations. You can apply these permissions to the `S3TablesRoleForLakeFormation` role created during the integration, or to your own IAM role. +When you work with SSE-KMS encrypted tables through AWS analytics services or third-party and open-source engines accessing S3 tables directly, the IAM role you use needs permission to use your AWS KMS key for encryption operations. @@ -105,19 +105 @@ When you work with SSE-KMS encrypted tables in those services, the role you use -The following inline IAM policy example can be used to grant the `S3TablesRoleForLakeFormation` service role permission to use a specific KMS key in your account for encryption operations. To use the policy replace the `input placeholder values` with your own. - - - { - "Sid": "AllowTableRoleAccess", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::111122223333:role/service-role/S3TablesRoleForLakeFormation" - }, - "Action": [ - "kms:GenerateDataKey", - "kms:Decrypt" - ], - "Resource": "<kms-key-arn>" - } - -## Granting IAM principals permissions to work with encrypted tables directly - -When you work with encrypted tables using third party or direct access methods, you must grant the role you use access to your KMS key. The following examples shows how to grant access through an IAM policy or a KMS key policy. +You can grant KMS key access through an IAM policy attached to your role or through a KMS key policy. @@ -128,9 +110 @@ IAM policy -Attach this inline policy to your IAM role to allow KMS key access. To use this policy replace the `input placeholder values` with your own KMS key arn. - -JSON - -JSON - - -**** - +Attach this inline policy to the IAM role you use for querying to allow KMS key access. Replace the KMS key ARN with your own. @@ -158 +131 @@ KMS key policy -Attach this inline policy to a KMS key to allow the specified AWS KMS role to use the key. To use this policy replace the `input placeholder values` with your IAM role. +Alternatively, attach this statement to your KMS key policy to allow the specified IAM role to use the key. Replace the role ARN with the IAM role you use for querying. @@ -175,0 +149,19 @@ Attach this inline policy to a KMS key to allow the specified AWS KMS role to us +## Granting IAM principals permissions to work with encrypted tables when Lake Formation is enabled + +If you have opted in to AWS Lake Formation for access control on your S3 Tables integration, the Lake Formation service role needs permission to use your AWS KMS key for encryption operations. Lake Formation uses this role to vend credentials on behalf of principals accessing your tables. + +The following KMS key policy example grants the Lake Formation service role permission to use a specific KMS key in your account for encryption operations. Replace the placeholder values with your own. + + + { + "Sid": "AllowTableRoleAccess", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/service-role/S3TablesRoleForLakeFormation" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": "<kms-key-arn>" + }