Skip to content

S3 Vector: SAM template permission update#122

Merged
andy-k-improving merged 7 commits intomainfrom
ft-hf-sam-permission-restriction
Mar 30, 2026
Merged

S3 Vector: SAM template permission update#122
andy-k-improving merged 7 commits intomainfrom
ft-hf-sam-permission-restriction

Conversation

@andy-k-improving
Copy link
Copy Markdown
Contributor

@andy-k-improving andy-k-improving commented Mar 30, 2026
edited
Loading

Summary 📝

Restrict overly permissive Resource: '*' in the S3 Vector connector SAM template to least-privilege scoped ARNs.

Changes:

  • athena:GetQueryExecution — scoped from * to arn:aws:athena:<region>:<account>:workgroup/*
  • S3 Vectors list access (ListIndexes, ListVectors) — scoped from * to account/region level for schema and table discovery
  • S3 Vectors data access (GetIndex, QueryVectors, GetVectors) — scoped to a specific vector bucket and all indexes within it
  • Added S3VectorBucketName parameter (required) to specify the target vector bucket

All ARNs use CloudFormation pseudo parameters (AWS::Partition, AWS::Region, AWS::AccountId) — no hardcoded values.

Impact:

  • Lambda can only read vector data from the specified bucket
  • Listing operations remain account-wide (required for metadata discovery)
  • Cross-account and cross-region access blocked by default
  • No functional change for users querying a single vector bucket

Test plan:

  • Deploy connector with S3VectorBucketName set to target bucket
  • Verify SHOW SCHEMAS, SHOW TABLES, and SELECT queries still work
  • Verify queries against other vector buckets are denied

Permissions

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@andy-k-improving andy-k-improving changed the title Update sam tempalte S3 Vector: Sam template permission update Mar 30, 2026
@andy-k-improving andy-k-improving changed the title S3 Vector: Sam template permission update S3 Vector: SAM template permission update Mar 30, 2026
@andy-k-improving andy-k-improving force-pushed the ft-hf-sam-permission-restriction branch from 1840665 to 0e4c50b Compare March 30, 2026 19:34
acarbonetto
acarbonetto reviewed Mar 30, 2026
View reviewed changes
Comment thread athena-s3vector-connector/athena-s3vector-connector.yaml Outdated
Comment thread athena-s3vector-connector/README.md Outdated
Comment thread athena-s3vector-connector/README.md Outdated
Comment thread athena-s3vector-connector/athena-s3vector-connector.yaml
Comment thread athena-s3vector-connector/athena-s3vector-connector.yaml
andy-k-improving and others added 4 commits March 30, 2026 13:24
@andy-k-improving @acarbonetto
Update athena-s3vector-connector/athena-s3vector-connector.yaml
6a75a59 
Co-authored-by: Andrew Carbonetto <andrew.carbonetto@improving.com>
@andy-k-improving @acarbonetto
Update athena-s3vector-connector/README.md
975fda7 
Co-authored-by: Andrew Carbonetto <andrew.carbonetto@improving.com>
@andy-k-improving @acarbonetto
Update athena-s3vector-connector/README.md
e9997a9 
Co-authored-by: Andrew Carbonetto <andrew.carbonetto@improving.com>
@andy-k-improving
Update permission
43be054
@andy-k-improving andy-k-improving merged commit 610c6c9 into main Mar 30, 2026
10 checks passed
@acarbonetto acarbonetto deleted the ft-hf-sam-permission-restriction branch March 30, 2026 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acarbonetto acarbonetto acarbonetto approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andy-k-improving @acarbonetto