cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AWS Security Hub - The S3 bucket is shared with an external AWS account

Go to solution
ambigus9
New Contributor III

‎01-28-2025 02:03 PM

Currently We observe a HIGH Risk warning on the Security Hub of AWS Account were we have been deployed a Private Link Databricks. This warning is related to the permissions associated to the root S3 bucket we use, here an example: 

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::414351767826:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::my-rootbucket/*",
                "arn:aws:s3:::my-rootbucket"
            ]
        }
    ]
}

 

At this point I would to know:

1) Is possible to remove this S3 Bucket Policy without affecting my current Databricks Deployment?

2) What is the main reason of this policy? Why to enable access to an external AWS account?

Thanks!

Thanks.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Satyadeepak
Databricks Employee
Databricks Employee

‎01-28-2025 03:46 PM

 

Hi @ambigus9 - Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.

The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets. 

You can tighten the policy by adding something like this,

Screenshot 2025-01-28 at 5.45.20 PM.png

 

 

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
Satyadeepak
Databricks Employee
Databricks Employee

‎01-28-2025 03:46 PM

 

Hi @ambigus9 - Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.

The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets. 

You can tighten the policy by adding something like this,

Screenshot 2025-01-28 at 5.45.20 PM.png

 

 

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements