Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Resource Based Policy

0

Hi Team,

I transferred a snapshot of database from AWS account A to Account B which is encrypted by kms. Now the encrypted snapshot is in account B's s3 bucket and I wanted to create Glue tables using Crawler in account B.

The KMS key is in AWS account A. I gave KMS decrypt permission on account A KMS key to the glue crawler IAM role in account B but did not give any resource based policy in account A . Now the crawler is able to create Glue tables in account B.

How is this possible when I did not give any resource based policy in account A?

Temas
Seguridad, identidad y cumplimientoAnálisis
Etiquetas
AWS Key Management ServiceAWS GluePolíticas de IAM
Idioma
English
Dipesh Chaudhary
preguntada hace 6 meses144 visualizaciones
1 Respuesta
0

"*Now the encrypted snapshot is in account B", inside the same account if a role has s3 read permission and the bucket doesn't have a explicitly policy, by default you have access.

profile pictureAWS
EXPERTO
Gonzalo Herreros
respondido hace 6 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante