Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Resource Based Policy

0

Hi Team,

I transferred a snapshot of database from AWS account A to Account B which is encrypted by kms. Now the encrypted snapshot is in account B's s3 bucket and I wanted to create Glue tables using Crawler in account B.

The KMS key is in AWS account A. I gave KMS decrypt permission on account A KMS key to the glue crawler IAM role in account B but did not give any resource based policy in account A . Now the crawler is able to create Glue tables in account B.

How is this possible when I did not give any resource based policy in account A?

Argomenti
Sicurezza, identità e conformitàAnalisi
Tag
Servizio di gestione delle chiavi AWSAWS GluePolitiche IAM
Lingua
English
Dipesh Chaudhary
posta 6 mesi fa144 visualizzazioni
1 Risposta
0

"*Now the encrypted snapshot is in account B", inside the same account if a role has s3 read permission and the bucket doesn't have a explicitly policy, by default you have access.

profile pictureAWS
ESPERTO
Gonzalo Herreros
con risposta 6 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente