Server-Side Encryptions¶
Server-side encryption is the encryption of data at its destination by the application or service that receives it. If the source bucket or the destination bucket is secured with server-side encryption, the data from the secured bucket cannot be extracted into Alation.
To perform metadata extraction, incremental extraction, and sampling of encrypted files in Alation, you need to set additional permissions depending on the authentication type in Alation and the server-side encryption option you are using (SSE-S3 or SSE-KMS). More details in AWS documentation:
Server-side encryption with customer-provided keys (SSE-C) is not currently supported by Alation.
The default option for server-side encryption is with Amazon S3 managed keys (SSE-S3). It does not require any additional permissions to be granted in AWS.
If you are using KMS keys (SSE-KMS), then additional configuration is required.
You will need to do the following: - Attach additional permissions to the KMS key itself - Attach additional permissions to the IAM user (Basic authentication) or IAM role (STS authentication) you are using in Alation - Grant additional permissions to actual users who will perform dynamic sampling in Alation - Attach additional permissions to the IAM role for Lambda function. This is applicable only if you are using the incremental extraction feature.
Refer to sections below for details.
SSE-S3¶
The default option for server-side encryption is with Amazon S3 managed keys (SSE-S3). Hence, it does not require any permission to be set in AWS.
SSE-KMS¶
This section provides information about the permissions that need to be set if you use the KMS key for server-side encryption.
Permissions for the KMS Key¶
The policy on the KMS key must include the kms:GenerateDataKey action, which will allow generating a key from the S3 service for source buckets. You can append this permission to the existing policy. See the permission example below. When using this example, replace {ACCOUNT_ID} with your account id and SOURCE_BUCKET_{N} with your source bucket name.
{
"Sid": "Allow Amazon S3 use of the customer managed key",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{ACCOUND_ID}"
},
"ArnLike": {
"aws:SourceARN": [
"arn:aws:s3:::{SOURCE_BUCKET_1}",
"arn:aws:s3:::{SOURCE_BUCKET_2}"
]
}
}
}
Permissions for IAM User or IAM Role¶
If you are using an IAM user for basic authentication or an IAM role for STS authentication, add the following permission to the IAM user or IAM role to decrypt the KMS key used in source buckets and destination buckets:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": [
"arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID}"
]
}
]
}
Permissions for Alation Users (Dynamic Sampling)¶
For dynamic sampling, the permission to decrypt the KMS key used in the source buckets must be assigned to the user who performs the dynamic sampling user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": [
"arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID}"
]
}
]
}
Permissions for IAM Role for Lambda Function¶
If the IAM role is used in a Lambda function, add the following permission to the IAM role:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:GenerateDataKey",
"Resource": [
"arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID_OF_KEY_B}"
]
}
SSE-C¶
Server-side encryption with customer-provided keys (SSE-C) is not supported by Alation.
Use cases¶
Use case - 1¶
Criteria¶
Source bucket(s) has a default SSE-KMS encryption enabled using KMS key key-A.
Destination bucket has a default SSE-KMS encryption enabled using KMS key key-A.
Steps¶
Create KMS key key-A, see How to set up SSE KMS in S3 bucket?.
You must choose key type as symmetric and key usage as encrypt and decrypt.
Create a source bucket with SSE-KMS encryption enabled by selecting KMS key key-A.
Create a destination bucket with SSE-KMS encryption enabled by selecting KMS key key-A.
Update the KMS key-A policy to allow access from the source bucket to use the key.
Go to the KMS service and click Customer-managed keys.
Search for your key key-A.
Edit the key policy and append the below permission. Make sure that you do not remove the existing permission codes. Replace ACCOUNT_ID with your account_id and SOURCE_BUCKET_{N} with the source bucket name.
{ "Sid": "Allow Amazon S3 use of the customer managed key", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "{ACCOUND_ID}" }, "ArnLike": { "aws:SourceARN": [ "arn:aws:s3:::{SOURCE_BUCKET_1}", "arn:aws:s3:::{SOURCE_BUCKET_2}" ] } } }
Save the policy.
Follow Lambda Function Setup for Incremental MDE for of manual setup of inventory and lambda function with the following modifications:
While setting up the inventory configuration, choose the destination bucket created in step 3.
While setting up the IAM role for lambda function, along with the PutObject permission append the below permission. Replace the DESTINATION_BUCKET with your destination bucket name, ACCOUNT_ID with your account_id and KEY_ID with your key_id.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:GenerateDataKey", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID}" ] }, { "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::{DESTINATION_BUCKET}/*" ] } ] }In the IAM user setup mentioned in User Creation for S3 Connector, append the following additional permission to support SSE-KMS. Replace ACCOUNT_ID and KEY_ID with your account_id and key_id. If you are using STS auth, make sure to add the below permission to your STS Role.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID}" ] } ] }
Perform MDE, Schema Extraction, and Sampling.
For sampling to work, assign permission/policy created in step 6 to the user (IAM or SSO) which is used for running sampling.
Use case - 2¶
Criteria¶
Source bucket(s) has a default SSE-KMS encryption enabled using KMS key key-A.
Destination bucket has a default SSE-KMS encryption enabled using KMS key key-B.
Steps¶
Create KMS key key-A and key-B, see How to set up SSE KMS in S3 bucket?.
You must choose key type as symmetric and key usage as encrypt and decrypt.
Create a source bucket with SSE-KMS encryption enabled by selecting KMS key key-A.
Create a destination bucket with SSE-KMS encryption enabled by selecting KMS key key-B.
Update the KMS key-B policy to allow access from the source bucket to use the key.
Go to the KMS service and click Customer-managed keys.
Search for your key key-B.
Edit the key policy and append the below permission. Make sure that you do not remove the existing permission codes. Replace ACCOUNT_ID with your account_id and SOURCE_BUCKET_{N} with the source bucket name.
{ "Sid": "Allow Amazon S3 use of the customer managed key", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "{ACCOUND_ID}" }, "ArnLike": { "aws:SourceARN": [ "arn:aws:s3:::{SOURCE_BUCKET_1}", "arn:aws:s3:::{SOURCE_BUCKET_2}" ] } } }
Save the policy.
Follow Lambda Function Setup for Incremental MDE for of manual setup of inventory and lambda function with the following modifications:
While setting up the inventory configuration, choose the destination bucket created in step 3.
While setting up the IAM role for lambda function, along with the PutObject permission append the below permission. Replace the DESTINATION_BUCKET with your destination bucket name, ACCOUNT_ID with your account_id and KEY_ID with your key_id of key-B.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:GenerateDataKey", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID_OF_KEY_B}" ] }, { "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::{DESTINATION_BUCKET}/*" ] } ] }In the IAM user setup mentioned in User Creation for S3 Connector, append the following additional permission to support SSE-KMS. Replace ACCOUNT_ID and KEY_ID with your account_id and key_id. If you are using STS auth, make sure to add the below permission to your STS Role.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID_OF_KEY_A}", "arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID_OF_KEY_B}" ] } ] }
Perform MDE, Schema Extraction and Sampling.
For sampling to work, assign permission/policy created in step 6 to the user (IAM or SSO) which is used for running sampling.
Use case - 3¶
Criteria¶
Source bucket(s) has a default SSE-KMS encryption enabled using KMS key key-A.
Destination bucket has a default SSE-S3 encryption.
Enable the SSE-KMS encryption using KMS key key-B while doing inventory configuration of the source bucket.
Steps¶
Create KMS key key-A and key-B, see How to set up SSE KMS in S3 bucket?.
You must choose key type as symmetric and key usage as encrypt and decrypt.
Create a source bucket with SSE-KMS encryption enabled by selecting KMS key key-A.
Create a destination bucket with SSE-KMS encryption.
Update the KMS key-B policy to allow access from the source bucket to use the key.
Go to the KMS service and click Customer-managed keys.
Search for your key key-B.
Edit the key policy and append the below permission. Make sure that you do not remove the existing permission codes. Replace ACCOUNT_ID with your account_id and SOURCE_BUCKET_{N} with the source bucket name.
{ "Sid": "Allow Amazon S3 use of the customer managed key", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "{ACCOUND_ID}" }, "ArnLike": { "aws:SourceARN": [ "arn:aws:s3:::{SOURCE_BUCKET_1}", "arn:aws:s3:::{SOURCE_BUCKET_2}" ] } } }
Save the policy.
Follow Lambda Function Setup for Incremental MDE for of manual setup of inventory and lambda function with the following modifications:
Choose the destination bucket created in step 3.
Choose the encryption mode to SSE-KMS and choose key key-B.
Create the configuration.
In the IAM user setup mentioned in User Creation for S3 Connector, append the following additional permission to support SSE-KMS. Replace ACCOUNT_ID and KEY_ID with your account_id and key_id of key-A and key-B. If you are using STS auth, make sure to add the below permission to your STS Role.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID_OF_KEY_A}", "arn:aws:kms:us-east-1:{ACCOUND_ID}:key/{KEY_ID_OF_KEY_B}" ] } ] }
Perform MDE, Schema Extraction and Sampling.
For sampling to work, assign permission/policy created in step 6 to the user (IAM or SSO) which is used for running sampling.