...
Full AWS organization
Full AWS Account where LHM App is hosted
Exactly the IAM Role of the LHM Application in the AWS Account hosting it
Depending on client security configuration on S3 bucket, two options are available for cross-account access.
a) Bucket policy and KMS key policy: applicable when custom KMS keys are used. The custom key and the bucket must belong to the same AWS region.
Bucket policy:
Code Block # Full AWS organization # Bucket policy { "Version": "2012-10-17", "Statement": [ { "Sid": "S3ReadObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "<org_id>" } } }, { "Sid": "S3ListBucket", "Effect": "Allow", "Principal": "*", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::<bucket>", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "<org_id>" }, "StringLike": { "s3:prefix": "<path_prefix>/*" } } } ] }
...
| Code Block |
|---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket>",
"Condition": {
"StringLike": {
"s3:prefix": [
"<path_prefix>/*"
]
}
}
},
{
"Sid": "DecryptKMSbucket",
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:<bucket_region>:<s3_bucket_AWS_account_Id>:key/*<ARN_OF_CUSTOM_KMS_KEY_IN_SAME_REGION_AS_BUCKET>"
}
]
} |
Configuring Lakehouse monitor to read from s3:
...