- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tuesday
Currently We observe a HIGH Risk warning on the Security Hub of AWS Account were we have been deployed a Private Link Databricks. This warning is related to the permissions associated to the root S3 bucket we use, here an example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::414351767826:root"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-rootbucket/*",
"arn:aws:s3:::my-rootbucket"
]
}
]
}
At this point I would to know:
1) Is possible to remove this S3 Bucket Policy without affecting my current Databricks Deployment?
2) What is the main reason of this policy? Why to enable access to an external AWS account?
Thanks!
Thanks.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tuesday
Hi @ambigus9 - Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.
The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets.
You can tighten the policy by adding something like this,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tuesday
Hi @ambigus9 - Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.
The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets.
You can tighten the policy by adding something like this,