cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

AWS Security Hub - The S3 bucket is shared with an external AWS account

Go to solution
ambigus9
Contributor

‎01-28-2025 02:03 PM

Currently We observe a HIGH Risk warning on the Security Hub of AWS Account were we have been deployed a Private Link Databricks. This warning is related to the permissions associated to the root S3 bucket we use, here an example: 

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::414351767826:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::my-rootbucket/*",
                "arn:aws:s3:::my-rootbucket"
            ]
        }
    ]
}

 

At this point I would to know:

1) Is possible to remove this S3 Bucket Policy without affecting my current Databricks Deployment?

2) What is the main reason of this policy? Why to enable access to an external AWS account?

Thanks!

Thanks.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Satyadeepak
Databricks Employee
Databricks Employee

‎01-28-2025 03:46 PM

 

Hi @ambigus9 - Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.

The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets. 

You can tighten the policy by adding something like this,

Screenshot 2025-01-28 at 5.45.20 PM.png

 

 

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
Satyadeepak
Databricks Employee
Databricks Employee

‎01-28-2025 03:46 PM

 

Hi @ambigus9 - Regarding the external AWS account (414351767826). This is actually a Databricks-owned AWS account, not a random external account. It's essential for Databricks' service to function properly. This account is used by Databricks to manage and orchestrate your workspace resources.

The policy allows Databricks control plane to, Access notebook contents, Manage cluster configurations, Handle job artifacts and Manage other workspace assets. 

You can tighten the policy by adding something like this,

Screenshot 2025-01-28 at 5.45.20 PM.png

 

 

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements
Top