Classification Checklist for S3
    • 03 Aug 2024
    • 1 Minute to read
    • Dark
      Light

    Classification Checklist for S3

    • Dark
      Light

    Article summary

    Customer Managed Key Permissions for S3

    If the S3 buckets or objects are encrypted using a Customer Managed Key with customized permissions, then the Acante classifier needs permissions to use this Key to decrypt and classify the data.
    Note: This is not required if using the AWS Managed Key for encryption.

    Modify the policy for the KMS Key(s)

    Add the following statement to the statement array in the KMS policy for each Key(s) with the correct <accountID>
    See AWS Documentation for reference.

    Finding the <acante-sampler-lambda-Role-ARN> on your AWS console:

    • IAM → Roles → Search for “acante-sampler-lambda”
    • Click on the Role shown
    • Copy the ARN and update it in the policy block below
    {
        "Sid": "Allow the Acante Sampler lambda and Macie service-linked role to use the key",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::<accountID>:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
                "<acante-sampler-lambda-Role-ARN>"
            ]
        },
        "Action": [
            "kms:Decrypt"
        ],
        "Resource": "*"
    }