Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Resource Based Policy

0

Hi Team,

I transferred a snapshot of database from AWS account A to Account B which is encrypted by kms. Now the encrypted snapshot is in account B's s3 bucket and I wanted to create Glue tables using Crawler in account B.

The KMS key is in AWS account A. I gave KMS decrypt permission on account A KMS key to the glue crawler IAM role in account B but did not give any resource based policy in account A . Now the crawler is able to create Glue tables in account B.

How is this possible when I did not give any resource based policy in account A?

Tópicos
Segurança, identidade e conformidadeAnálise
Tags
AWS Key Management ServiceAWS GluePolíticas do IAM
Idioma
English
Dipesh Chaudhary
feita há 6 meses144 visualizações
1 Resposta
0

"*Now the encrypted snapshot is in account B", inside the same account if a role has s3 read permission and the bucket doesn't have a explicitly policy, by default you have access.

profile pictureAWS
ESPECIALISTA
Gonzalo Herreros
respondido há 6 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante