fivetran-ashokborra commented on PR #1424: URL: https://github.com/apache/polaris/pull/1424#issuecomment-2848389204
> I don't think it's because of limiting the KMS keys by region. Limiting that blast radius does not actually do anything to mitigate the attack vector that @collado-mike and I reasoned above That's correct. With encryptionContext and viaService, the keys can only be used against the S3 bucket. > While you're correct that S3 uses FAS, it does require the original IAM session that you used to call S3 does have the required KMS permissions. Yes, it does. I meant to say, explicit usage of KMS keys is not needed. Let me change the wording. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
