# Overview ### Purpose This CloudFormation template sets up **secure cross-account access** for e6data to read your S3 buckets. It automates the creation of IAM roles, policies, and S3 bucket configurations needed for serverless analytics while enforcing security best practices. ### Key Functions 1. **Creates a Secure Access Role** * Sets up an IAM role that e6data can assume using a unique External ID. * Ensures only authorized access from e6data’s account. 2. **Configures S3 Access** * Grants **read-only** permissions to the buckets you specify. * Supports wildcard (`*`) for multiple buckets if necessary. 3. **Enforces Network Security** * Restricts S3 bucket access to requests originating from your **VPC Endpoint**. ### Technical Flow ``` e6data Account → Assumes Cross-Account Role (with External ID) → Gets Read Access to S3 Buckets → Access Only Through Your VPC Endpoint ``` ### Resources Created | Resource Name | Type | Purpose | | ------------------------------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **CrossAccountRole** | IAM Role | Allows e6data to securely access your AWS resources. Name format: `e6data-cross-account-role-{StackName}-{Region}` | | **ChangeSetCrossAccountPolicy** | IAM Managed Policy | Allows e6data to view and create CloudFormation changesets (read-only) for updates. | | **LambdaExecutionRole** | IAM Role | Executes Lambda function to manage S3 bucket policies to allow traffic routing via the VPCE S3 endpoint, Lambda logging, and VPC endpoint describe permissions. | | **ManageBucketPoliciesLambda** | Lambda Function | Automates creation/updating of S3 bucket policies and IAM policies. Handles create, update, delete operations. | ### Security Implementation #### 1. Cross-Account Access Security **External ID Protection** ```yaml Condition: StringEquals: sts:ExternalId: !Ref ExternalId ``` * Prevents unauthorized access (confused deputy problem). * e6data must provide a secret External ID known only to you. #### 2. Network-Level Security **VPC Endpoint Restriction** ```json "Condition": { "StringEquals": { "aws:SourceVpce": "{VPCEndpointId}" } } ``` * Ensures S3 access only through your private VPC network. * No access over the public internet. #### 3. Least Privilege Access **Read-Only S3 Permissions** ```json "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:GetBucketLocation", "s3:ListBucket" ] ``` * Grants read-only access only. * Access limited to specified buckets (or wildcard if needed). #### 4. CloudFormation Changeset Security ```yaml Actions: - "cloudformation:CreateChangeSet" - "cloudformation:DescribeChangeSet" - "cloudformation:DescribeStacks" Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*" ``` * e6data can propose stack updates but cannot apply changes without approval. #### Layered Security Model ``` ┌───────────────────────────────┐ │ Layer 1: External ID Validation │ │ ✓ Must provide secret External ID │ └───────────────────────────────┘ ↓ ┌───────────────────────────────┐ │ Layer 2: IAM Permissions │ │ ✓ Read-only access to specified buckets │ └───────────────────────────────┘ ↓ ┌───────────────────────────────┐ │ Layer 3: Network Restriction │ │ ✓ Access only through VPC Endpoint │ └───────────────────────────────┘ ``` #### Lifecycle Operations | Operation | Description | | ------------------ | ---------------------------------------------------------------------------- | | **Stack Creation** | Creates IAM role, policies, Lambda function, S3 bucket policies. | | **Stack Update** | Updates policies with new buckets, preserves existing access. | | **Stack Deletion** | Removes policies, Lambda function, and IAM role. Does not delete S3 buckets. | #### Compliance & Audit * **Data Residency**: Data remains in your AWS account. * **Encryption**: Existing S3 encryption remains intact. * **Audit Trail**: All access logged via CloudTrail. * **Data Sovereignty**: VPC endpoint ensures access stays within your network.