...
Full AWS organization
Full AWS Account where LHM App is hosted
Exactly the IAM Role of the LHM Application in the AWS Account hosting it
Depending on client security configuration on S3 bucket, two options are available for cross-account access.
a) Bucket policy and KMS key policy: applicable when custom KMS keys are used
Bucket policy:
Code Block # Full AWS organization # Bucket policy { "Version": "2012-10-17", "Statement": [ { "Sid": "S3ReadObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "<org_id>" } } }, { "Sid": "S3ListBucket", "Effect": "Allow", "Principal": "*", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::<bucket>", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "<org_id>" }, "StringLike": { "s3:prefix": "<path_prefix>/*" } } } ] }
...
Code Block |
---|
# Exactly the IAM Role of the LHM Application in the AWS Account hosting it { "Version": "2012-10-17", "Statement": [ { "Sid": "S3ReadObject", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:role/<LHM_App_IAM_Role>" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*" }, { "Sid": "S3ListBucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:role/<LHM_App_IAM_Role>" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::<bucket>", "Condition": { "StringLike": { "s3:prefix": "<path_prefix>/*" } } } ] } |
LHM Application IAM Role permission KMS key policy:
Code Block |
---|
{# Exactly the IAM "Version": "2012-10-17", "Statement": [Role of the LHM Application in the AWS Account hosting it { "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { ... the default statement for local trusting ... }, { "Sid": "Allow use of the key to LHM App IAM Role ", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:role/<LHM_App_IAM_Role>" }, "Action": "kms:Decrypt", "Resource": "*" } ] } |
LHM Application IAM Role permission policy:
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*" }, { "Effect": "Allow", "Action": "s3:GetObjectListBucket", "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"", "Condition": { "StringLike": { "s3:prefix": [ }, { "Effect<path_prefix>/*": "Allow", "Action": "s3:ListBucket", ] "Resource": "arn:aws:s3:::<bucket>", } "Condition": { } "StringLike": {}, { "s3:prefixSid": ["DecryptKMSbucket", "Action": [ "<path_prefix>/*" "kms:Decrypt" ], "Effect": "Allow", } }"Resource": "arn:aws:kms:<bucket_region>:<s3_bucket_AWS_account_Id>:key/*" } ] } |
Configuring Lakehouse monitor to read from s3:
...