From 62f3ccff8b200a947f1565eaa1df11b085edac27 Mon Sep 17 00:00:00 2001 From: Vladislav Tropnikov Date: Thu, 8 May 2025 16:16:15 +0200 Subject: [PATCH 1/2] feature/ODM-12525 add Cross-account S3 access --- docs/home/clouds/aws.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md index 1cac3556..1c20ae28 100644 --- a/docs/home/clouds/aws.md +++ b/docs/home/clouds/aws.md @@ -123,6 +123,16 @@ - Be careful when using it, you should limit the list of zones with which it can work. And if the zone is used for something else, then make sure that it will not delete records from there. +## Cross-account S3 access + +The approach is based on the [official documentation](https://repost.aws/knowledge-center/cross-account-access-s3) section `IAM policies and resource-based bucket policies`. + +If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally grant access to the KMS key too: + +- in the `IAM policy` that is attached to the IAM role/user + +- in the `Key policy` of the KMS key that is used to encrypt data in the S3 bucket + ## Configuration examples
AbortIncompleteMultipartUpload rule From ec34439da0a45a06c5223da0c14a10d2ca9e8cb4 Mon Sep 17 00:00:00 2001 From: Vladislav Tropnikov Date: Thu, 8 May 2025 16:44:21 +0200 Subject: [PATCH 2/2] Update docs/home/clouds/aws.md Co-authored-by: Mikhail Smazhevsky --- docs/home/clouds/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md index 1c20ae28..30de84be 100644 --- a/docs/home/clouds/aws.md +++ b/docs/home/clouds/aws.md @@ -127,7 +127,7 @@ The approach is based on the [official documentation](https://repost.aws/knowledge-center/cross-account-access-s3) section `IAM policies and resource-based bucket policies`. -If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally grant access to the KMS key too: +If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally grant access to the KMS key in the items below: - in the `IAM policy` that is attached to the IAM role/user