Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: KMS key policy for S3

...

  1. Full AWS organization

  2. Full AWS Account where LHM App is hosted

  3. Exactly the IAM Role of the LHM Application in the AWS Account hosting it

    Depending on client security configuration on S3 bucket, two options are available for cross-account access.

    a) Bucket policy and KMS key policy: applicable when custom KMS keys are used
    Bucket policy:

  • Code Block
    # Full AWS organization
    # Bucket policy
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "S3ReadObject",
                "Effect": "Allow",
                "Principal": "*",
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*",
                "Condition": {
                    "StringEquals": {
                        "aws:PrincipalOrgID": "<org_id>"
                    }
                }
            },
            {
                "Sid": "S3ListBucket",
                "Effect": "Allow",
                "Principal": "*",
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::<bucket>",
                "Condition": {
                    "StringEquals": {
                        "aws:PrincipalOrgID": "<org_id>"
                    },
                    "StringLike": {
                        "s3:prefix": "<path_prefix>/*"
                    }
                }
            }
        ]
    }

...

Code Block
# Exactly the IAM Role of the LHM Application in the AWS Account hosting it
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ReadObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:role/<LHM_App_IAM_Role>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"
        },
        {
            "Sid": "S3ListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:role/<LHM_App_IAM_Role>"            
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "<path_prefix>/*"
                }
            }
        }
    ]
}

LHM Application IAM Role permission KMS key policy:

Code Block
{# Exactly the IAM  "Version": "2012-10-17",
    "Statement": [Role of the LHM Application in the AWS Account hosting it
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
           ... the default statement for local trusting ...
        },
        {
            "Sid": "Allow use of the key to LHM App IAM Role ",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:role/<LHM_App_IAM_Role>"            
            },
            "Action": "kms:Decrypt",
            "Resource": "*"
        }
    ]
}

LHM Application IAM Role permission policy:

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObjectListBucket",
            "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
  },         {             "Effect<path_prefix>/*":
"Allow",             "Action": "s3:ListBucket",      ]
      "Resource": "arn:aws:s3:::<bucket>",         }
   "Condition": {        }
        "StringLike": {},
        {
            "s3:prefixSid": ["DecryptKMSbucket",
               "Action": [
        "<path_prefix>/*"        "kms:Decrypt"
            ],
            "Effect": "Allow",
  }             }"Resource": "arn:aws:kms:<bucket_region>:<s3_bucket_AWS_account_Id>:key/*"
        }
    ]
}

Configuring Lakehouse monitor to read from s3:

...