search

awslabs / data-solutions-framework-on-aws

An open-source framework that simplifies implementation of data solutions.
https://awslabs.github.io/data-solutions-framework-on-aws/
Apache License 2.0
106 stars 14 forks source link

DataLakeStorage Independent bucket Policy access to L2 constructs #624

Closed PeterRayner closed 1 month ago

PeterRayner commented 1 month ago

Hi team

Looking to alter the bucket policies of buckets. Currently the default means that nobody can do any S3;* operation in the bucket.

We are looking for a way that we can apply specific policies to specific buckets for example:

dsf.storage.DataLakeStorage(self, "MyDataLakeStorage", bronzeBucketPolicy = Policy, GoldBucketPolicy= Policy )

vgkowski commented 1 month ago

The current implementation of the DataLakeStorage construct doesn't provide any parameter to configure the individual bucket policies but you can still access bucket resources and add policies to the bucket policy. Here is an example:

data_lake = dsf.storage.DataLakeStorage(self, 'datalakestorage', removal_policy=RemovalPolicy.DESTROY)

data_lake.bronze_bucket.add_to_resource_policy(
    iam.PolicyStatement(
        actions=[
            "s3:PutObject"
        ],
        principals=[
            iam.Role.from_role_arn(self, "AccessRole", 'arn:aws:iam::11111111111111:role/myrole')
        ],
        resources=[
            data_lake.bronze_bucket.bucket_arn, 
            f"{data_lake.bronze_bucket.bucket_arn}/*"
        ]
    )
)

The construct default policy is not restrictive as long as S3 is accessed with TLS so I suggest to keep the DataLakeStorage properties lean.