Classification Checklist for S3
- 03 Aug 2024
- 1 Minute to read
- DarkLight
Classification Checklist for S3
- Updated on 03 Aug 2024
- 1 Minute to read
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Customer Managed Key Permissions for S3
If the S3 buckets or objects are encrypted using a Customer Managed Key with customized permissions, then the Acante classifier needs permissions to use this Key to decrypt and classify the data.
Note: This is not required if using the AWS Managed Key for encryption.
Modify the policy for the KMS Key(s)
Add the following statement to the statement array in the KMS policy for each Key(s) with the correct <accountID>
See AWS Documentation for reference.
Finding the <acante-sampler-lambda-Role-ARN> on your AWS console:
- IAM → Roles → Search for “acante-sampler-lambda”
- Click on the Role shown
- Copy the ARN and update it in the policy block below
{
"Sid": "Allow the Acante Sampler lambda and Macie service-linked role to use the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<accountID>:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"<acante-sampler-lambda-Role-ARN>"
]
},
"Action": [
"kms:Decrypt"
],
"Resource": "*"
}