fivetran-ashokborra commented on PR #1424: URL: https://github.com/apache/polaris/pull/1424#issuecomment-2835297056
> > But I'm still struggling with a proper threat model here. > > You're not creative enough to be a bad guy 🤣 > > The threat here is that the vended credentials are used outside of the scope of accessing the data in this table. There's nothing preventing a malicious user from using these credentials to call KMS to decrypt any key defined for any file elsewhere in S3. Or non-S3 resources entirely. > > At minimum, the IAM policy should define an encryption context, but preferably the specific KMS key _and_ the encryption context. Note that we aren't talking about one single key ARN, but possibly more than one: You can configure S3 to use a new key ARN for future objects, each S3 object's metadata also contains the key ARN it was encrypted with. Maybe we should instead focus on restricting access by encryption context, otherwise we would need to list all the objects we are accessing and and have to issue metadata requests for all objects just to collect the list of needed keys. Every time there's a KMS key change, do we want the Polaris to have updated information about it? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
