adnanhemani commented on PR #1424: URL: https://github.com/apache/polaris/pull/1424#issuecomment-2847856018
> I believe Approach 4 is more aligned with Polaris’s use case, even though it involves broader access by allowing permissions to all KMS keys within a region. While I agree that Approach 4 is the right way to go - I don't think it's because of limiting the KMS keys by region. Limiting that blast radius does not actually do anything to mitigate the attack vector that @collado-mike and I reasoned above. I'd say that it's more because of requiring the EncryptionContext that this IAM session cannot be misused against other AWS resources. Using the `KMS:ViaService` will also be helpful in the meantime to ensure that we are only supporting SSE via S3 - I'd recommend adding that to Approach 4 for a tighter security guarantee. > S3 uses [Forward Access Sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to handle encryption and decryption. As a result, explicit KMS permissions are often not required for the calling application. Clarification: While you're correct that S3 uses FAS, it does require the original IAM session that you used to call S3 does have the required KMS permissions. Thoughts @collado-mike @dennishuo ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
