cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

AWS Security Hub - The S3 bucket is shared with an external AWS account

ambigus9
New Contributor III

Currently We observe a HIGH Risk warning on the Security Hub of AWS Account were we have been deployed a Private Link Databricks. This warning is related to the permissions associated to the root S3 bucket we use, here an example: 

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::414351767826:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::my-rootbucket/*",
                "arn:aws:s3:::my-rootbucket"
            ]
        }
    ]
}

 

At this point I would to know:

1) Is possible to remove this S3 Bucket Policy without affecting my current Databricks Deployment?

2) What is the main reason of this policy? Why to enable access to an external AWS account?

Thanks!

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Satyadeepak
Databricks Employee
Databricks Employee

 

Hi @ambigus9 - Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.

The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets. 

You can tighten the policy by adding something like this,

Screenshot 2025-01-28 at 5.45.20 PM.png

 

 

View solution in original post

1 REPLY 1

Satyadeepak
Databricks Employee
Databricks Employee

 

Hi @ambigus9 - Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.

The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets. 

You can tighten the policy by adding something like this,

Screenshot 2025-01-28 at 5.45.20 PM.png

 

 

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group