# Overview

### Purpose

This CloudFormation template sets up **secure cross-account access** for e6data to read your S3 buckets. It automates the creation of IAM roles, policies, and S3 bucket configurations needed for serverless analytics while enforcing security best practices.

### Key Functions

1. **Creates a Secure Access Role**
   * Sets up an IAM role that e6data can assume using a unique External ID.
   * Ensures only authorized access from e6data’s account.
2. **Configures S3 Access**
   * Grants **read-only** permissions to the buckets you specify.
   * Supports wildcard (`*`) for multiple buckets if necessary.
3. **Enforces Network Security**
   * Restricts S3 bucket access to requests originating from your **VPC Endpoint**.

### Technical Flow

```
e6data Account → Assumes Cross-Account Role (with External ID)
                → Gets Read Access to S3 Buckets
                → Access Only Through Your VPC Endpoint

```

### Resources Created

| Resource Name                   | Type               | Purpose                                                                                                                                                         |
| ------------------------------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CrossAccountRole**            | IAM Role           | Allows e6data to securely access your AWS resources. Name format: `e6data-cross-account-role-{StackName}-{Region}`                                              |
| **ChangeSetCrossAccountPolicy** | IAM Managed Policy | Allows e6data to view and create CloudFormation changesets (read-only) for updates.                                                                             |
| **LambdaExecutionRole**         | IAM Role           | Executes Lambda function to manage S3 bucket policies to allow traffic routing via the VPCE S3 endpoint, Lambda logging, and VPC endpoint describe permissions. |
| **ManageBucketPoliciesLambda**  | Lambda Function    | Automates creation/updating of S3 bucket policies and IAM policies. Handles create, update, delete operations.                                                  |

### Security Implementation

#### 1. Cross-Account Access Security

**External ID Protection**

```yaml
Condition:
  StringEquals:
    sts:ExternalId: !Ref ExternalId
```

* Prevents unauthorized access (confused deputy problem).
* e6data must provide a secret External ID known only to you.

#### 2. Network-Level Security

**VPC Endpoint Restriction**

```json
"Condition": {
  "StringEquals": {
    "aws:SourceVpce": "{VPCEndpointId}"
  }
}
```

* Ensures S3 access only through your private VPC network.
* No access over the public internet.

#### 3. Least Privilege Access

**Read-Only S3 Permissions**

```json
"Action": [
  "s3:GetObject",
  "s3:GetObjectTagging",
  "s3:GetObjectVersion",
  "s3:GetBucketLocation",
  "s3:ListBucket"
]
```

* Grants read-only access only.
* Access limited to specified buckets (or wildcard if needed).

#### 4. CloudFormation Changeset Security

```yaml
Actions:
  - "cloudformation:CreateChangeSet"
  - "cloudformation:DescribeChangeSet"
  - "cloudformation:DescribeStacks"
Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"
```

* e6data can propose stack updates but cannot apply changes without approval.

#### Layered Security Model

```
┌───────────────────────────────┐
│ Layer 1: External ID Validation │
│ ✓ Must provide secret External ID │
└───────────────────────────────┘
             ↓
┌───────────────────────────────┐
│ Layer 2: IAM Permissions       │
│ ✓ Read-only access to specified buckets │
└───────────────────────────────┘
             ↓
┌───────────────────────────────┐
│ Layer 3: Network Restriction   │
│ ✓ Access only through VPC Endpoint │
└───────────────────────────────┘
```

#### Lifecycle Operations

| Operation          | Description                                                                  |
| ------------------ | ---------------------------------------------------------------------------- |
| **Stack Creation** | Creates IAM role, policies, Lambda function, S3 bucket policies.             |
| **Stack Update**   | Updates policies with new buckets, preserves existing access.                |
| **Stack Deletion** | Removes policies, Lambda function, and IAM role. Does not delete S3 buckets. |

#### Compliance & Audit

* **Data Residency**: Data remains in your AWS account.
* **Encryption**: Existing S3 encryption remains intact.
* **Audit Trail**: All access logged via CloudTrail.
* **Data Sovereignty**: VPC endpoint ensures access stays within your network.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.e6data.com/product-documentation/setup/aws-setup/connect-to-e6data-serverless-compute-aws/configuring-secure-access/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.