使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Resource Based Policy

0

Hi Team,

I transferred a snapshot of database from AWS account A to Account B which is encrypted by kms. Now the encrypted snapshot is in account B's s3 bucket and I wanted to create Glue tables using Crawler in account B.

The KMS key is in AWS account A. I gave KMS decrypt permission on account A KMS key to the glue crawler IAM role in account B but did not give any resource based policy in account A . Now the crawler is able to create Glue tables in account B.

How is this possible when I did not give any resource based policy in account A?

主題
安全性、身分識別與合規分析
標籤
AWS Key Management ServiceAWS GlueIAM 政策
語言
English
Dipesh Chaudhary
已提問 6 個月前檢視次數 144 次
1 個回答
0

"*Now the encrypted snapshot is in account B", inside the same account if a role has s3 read permission and the bucket doesn't have a explicitly policy, by default you have access.

profile pictureAWS
專家
Gonzalo Herreros
已回答 6 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容