search

Overview

hashtag
Purpose

This CloudFormation template sets up secure cross-account access for e6data to read your S3 buckets. It automates the creation of IAM roles, policies, and S3 bucket configurations needed for serverless analytics while enforcing security best practices.

hashtag
Key Functions

  1. Creates a Secure Access Role

    • Sets up an IAM role that e6data can assume using a unique External ID.

    • Ensures only authorized access from e6data’s account.

  2. Configures S3 Access

    • Grants read-only permissions to the buckets you specify.

    • Supports wildcard (*) for multiple buckets if necessary.

  3. Enforces Network Security

    • Restricts S3 bucket access to requests originating from your VPC Endpoint.

hashtag
Technical Flow

e6data Account → Assumes Cross-Account Role (with External ID)
                → Gets Read Access to S3 Buckets
                → Access Only Through Your VPC Endpoint

hashtag
Resources Created

Resource Name
Type
Purpose

CrossAccountRole

IAM Role

Allows e6data to securely access your AWS resources. Name format: e6data-cross-account-role-{StackName}-{Region}

ChangeSetCrossAccountPolicy

IAM Managed Policy

Allows e6data to view and create CloudFormation changesets (read-only) for updates.

LambdaExecutionRole

IAM Role

Executes Lambda function to manage S3 bucket policies to allow traffic routing via the VPCE S3 endpoint, Lambda logging, and VPC endpoint describe permissions.

ManageBucketPoliciesLambda

Lambda Function

Automates creation/updating of S3 bucket policies and IAM policies. Handles create, update, delete operations.

hashtag
Security Implementation

hashtag
1. Cross-Account Access Security

External ID Protection

  • Prevents unauthorized access (confused deputy problem).

  • e6data must provide a secret External ID known only to you.

hashtag
2. Network-Level Security

VPC Endpoint Restriction

  • Ensures S3 access only through your private VPC network.

  • No access over the public internet.

hashtag
3. Least Privilege Access

Read-Only S3 Permissions

  • Grants read-only access only.

  • Access limited to specified buckets (or wildcard if needed).

hashtag
4. CloudFormation Changeset Security

  • e6data can propose stack updates but cannot apply changes without approval.

hashtag
Layered Security Model

hashtag
Lifecycle Operations

Operation
Description

Stack Creation

Creates IAM role, policies, Lambda function, S3 bucket policies.

Stack Update

Updates policies with new buckets, preserves existing access.

Stack Deletion

Removes policies, Lambda function, and IAM role. Does not delete S3 buckets.

hashtag
Compliance & Audit

  • Data Residency: Data remains in your AWS account.

  • Encryption: Existing S3 encryption remains intact.

  • Audit Trail: All access logged via CloudTrail.

  • Data Sovereignty: VPC endpoint ensures access stays within your network.

PreviousConfiguring Secure AccessNextDeployment Guide

Last updated