Cloudera Docs

Bucket encryption

To allow encryption and decryption of your S3 bucket contents, the environment node instance role must access the KMS (Key Management System) key. Reading and writing to the bucket is impossible unless you provide this access.

By default, any resource under your account can use and manage keys. However, typically you want to restrict access to keys, authorizing only the node instance role to use the key. To accomplish this, you add code to your managed policy and attach the policy to the node instance role. The following example policy snippet provides minimal privileges to use the key.

{    
     "Sid": "Allow use of the key",
     "Effect": "Allow",
     "Principal": {
         "AWS": "arn:aws:iam::555555555555:role/env-id-dwx-stack-NodeInstanceRole-xyz"
     },
     "Action": [
         "kms:Encrypt",
         "kms:Decrypt",
         "kms:GenerateDatakey",
         "kms:ReEncrypt*"
     ],
     "Resource": "*"
},
This code contains the following representations:
  • 555555555555 is the example account id.
  • env-id-dwx-stack-NodeInstanceRole-xyz is the example NodeInstanceRole for the environment.
    • env-id-dwx-stack is the example environment ID prefix.
    • xyz is a random string suffix