Overview

Purpose

This CloudFormation template sets up secure cross-account access for e6data to read your S3 buckets. It automates the creation of IAM roles, policies, and S3 bucket configurations needed for serverless analytics while enforcing security best practices.

Key Functions

  1. Creates a Secure Access Role

    • Sets up an IAM role that e6data can assume using a unique External ID.

    • Ensures only authorized access from e6data’s account.

  2. Configures S3 Access

    • Grants read-only permissions to the buckets you specify.

    • Supports wildcard (*) for multiple buckets if necessary.

  3. Enforces Network Security

    • Restricts S3 bucket access to requests originating from your VPC Endpoint.

Technical Flow

e6data Account → Assumes Cross-Account Role (with External ID)
                → Gets Read Access to S3 Buckets
                → Access Only Through Your VPC Endpoint

Resources Created

Resource Name
Type
Purpose

CrossAccountRole

IAM Role

Allows e6data to securely access your AWS resources. Name format: e6data-cross-account-role-{StackName}-{Region}

ChangeSetCrossAccountPolicy

IAM Managed Policy

Allows e6data to view and create CloudFormation changesets (read-only) for updates.

LambdaExecutionRole

IAM Role

Executes Lambda function to manage S3 bucket policies. Includes S3 Full Access, Lambda logging, and EC2/VPC permissions.

ManageBucketPoliciesLambda

Lambda Function

Automates creation/updating of S3 bucket policies and IAM policies. Handles create, update, delete operations.

Security Implementation

1. Cross-Account Access Security

External ID Protection

Condition:
  StringEquals:
    sts:ExternalId: !Ref ExternalId

  • Prevents unauthorized access (confused deputy problem).

  • E6Data must provide a secret External ID known only to you.

2. Network-Level Security

VPC Endpoint Restriction

"Condition": {
  "StringEquals": {
    "aws:SourceVpce": "{VPCEndpointId}"
  }
}

  • Ensures S3 access only through your private VPC network.

  • No access over the public internet.

3. Least Privilege Access

Read-Only S3 Permissions

"Action": [
  "s3:GetObject",
  "s3:GetObjectTagging",
  "s3:GetObjectVersion",
  "s3:GetBucketLocation",
  "s3:ListBucket"
]

  • Grants read-only access only.

  • Access limited to specified buckets (or wildcard if needed).

4. CloudFormation Changeset Security

Actions:
  - "cloudformation:CreateChangeSet"
  - "cloudformation:DescribeChangeSet"
  - "cloudformation:DescribeStacks"
Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"

  • E6Data can propose stack updates but cannot apply changes without approval.

Layered Security Model

┌───────────────────────────────┐
│ Layer 1: External ID Validation │
│ ✓ Must provide secret External ID │
└───────────────────────────────┘

┌───────────────────────────────┐
│ Layer 2: IAM Permissions       │
│ ✓ Read-only access to specified buckets │
└───────────────────────────────┘

┌───────────────────────────────┐
│ Layer 3: Network Restriction   │
│ ✓ Access only through VPC Endpoint │
└───────────────────────────────┘

Lifecycle Operations

Operation
Description

Stack Creation

Creates IAM role, policies, Lambda function, S3 bucket policies.

Stack Update

Updates policies with new buckets, preserves existing access.

Stack Deletion

Removes policies, Lambda function, and IAM role. Does not delete S3 buckets.

Compliance & Audit

  • Data Residency: Data remains in your AWS account.

  • Encryption: Existing S3 encryption remains intact.

  • Audit Trail: All access logged via CloudTrail.

  • Data Sovereignty: VPC endpoint ensures access stays within your network.

PreviousCross-Account S3 AccessNextDeployment Guide

Last updated