https://community.databricks.com/t5/administration-architecture/aws-security-hub-the-s3-bucket-is-shared-with-an-external-aws/m-p/107502#M2865 <P>&nbsp;</P> <P>Hi <a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/133005">@ambigus9</a>&nbsp;- Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.</P> <P>The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets. </P> <P>You can tighten the policy by adding something like this,</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-01-28 at 5.45.20 PM.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/14406i398910F392F14211/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2025-01-28 at 5.45.20 PM.png" alt="Screenshot 2025-01-28 at 5.45.20 PM.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 28 Jan 2025 23:46:02 GMT Satyadeepak 2025-01-28T23:46:02Z https://community.databricks.com/t5/administration-architecture/aws-security-hub-the-s3-bucket-is-shared-with-an-external-aws/m-p/107495#M2864 <P>Currently We observe a HIGH Risk warning on the Security Hub of AWS Account were we have been deployed a Private Link Databricks. This warning is related to the permissions associated to the root S3 bucket we use, here an example:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::414351767826:root" }, "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::my-rootbucket/*", "arn:aws:s3:::my-rootbucket" ] } ] }</LI-CODE><P>&nbsp;</P><P>At this point I would to know:</P><P>1) Is possible to remove this S3 Bucket Policy without affecting my current Databricks Deployment?</P><P>2) What is the main reason of this policy? Why to enable access to an external AWS account?</P><P>Thanks!</P><P>Thanks.</P> Tue, 28 Jan 2025 22:03:51 GMT https://community.databricks.com/t5/administration-architecture/aws-security-hub-the-s3-bucket-is-shared-with-an-external-aws/m-p/107495#M2864 ambigus9 2025-01-28T22:03:51Z https://community.databricks.com/t5/administration-architecture/aws-security-hub-the-s3-bucket-is-shared-with-an-external-aws/m-p/107502#M2865 <P>&nbsp;</P> <P>Hi <a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/133005">@ambigus9</a>&nbsp;- Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.</P> <P>The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets. </P> <P>You can tighten the policy by adding something like this,</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-01-28 at 5.45.20 PM.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/14406i398910F392F14211/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2025-01-28 at 5.45.20 PM.png" alt="Screenshot 2025-01-28 at 5.45.20 PM.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 28 Jan 2025 23:46:02 GMT https://community.databricks.com/t5/administration-architecture/aws-security-hub-the-s3-bucket-is-shared-with-an-external-aws/m-p/107502#M2865 Satyadeepak 2025-01-28T23:46:02Z