Step 3: Configure cross-account support (Optional)

This article describes how to set up cross-account audit log delivery. If your S3 bucket is in the same AWS account as your IAM role used for log delivery, skip this step.

To deliver logs to an AWS account other than the one used for your Databricks workspace, you must add the S3 bucket policy provided in this step. This policy references IDs for the cross-account IAM role that you created in Step 2: Configure credentials for audit log delivery.

  1. In the AWS Console, go to the S3 service.

  2. Click the bucket name.

  3. Click the Permissions tab.

  4. Click the Bucket Policy button.

  5. Click the Edit button.

  6. Copy and modify this bucket policy. Replace <s3-bucket-name> with the S3 bucket name, <customer-iam-role-id> with the role ID of your newly-created IAM role, and <s3-bucket-path-prefix> with the bucket path prefix you want.

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Principal": {
                  "AWS": ["arn:aws:iam::<customer-iam-role-id>"]
              },
              "Action": "s3:GetBucketLocation",
              "Resource": "arn:aws:s3:::<s3-bucket-name>"
          },
          {
              "Effect": "Allow",
              "Principal": {
                  "AWS": "arn:aws:iam::<customer-iam-role-id>"
              },
              "Action": [
                  "s3:PutObject",
                  "s3:GetObject",
                  "s3:DeleteObject",
                  "s3:PutObjectAcl",
                  "s3:AbortMultipartUpload",
                  "s3:ListMultipartUploadParts"
              ],
              "Resource": [
                  "arn:aws:s3:::<s3-bucket-name>/<s3-bucket-path-prefix>/",
                  "arn:aws:s3:::<s3-bucket-name>/<s3-bucket-path-prefix>/*"
              ]
          },
          {
              "Effect": "Allow",
              "Principal": {
                  "AWS": "arn:aws:iam::<customer-iam-role-id>"
              },
              "Action": "s3:ListBucket",
              "Resource": "arn:aws:s3:::<s3-bucket-name>",
              "Condition": {
                  "StringLike": {
                      "s3:prefix": [
                          "<s3-bucket-path-prefix>",
                          "<s3-bucket-path-prefix>/*"
                      ]
                  }
              }
          }
      ]
    }
    

Customize path prefixes

You can customize the policy use of the path prefix:

  • If you do not want to use the bucket path prefix, remove <s3-bucket-path-prefix>/ (including the final slash) from the policy each time it appears.

  • If you want log delivery configurations for multiple workspaces that share the S3 bucket but use different path prefixes, you can include multiple path prefixes. There are two separate parts of the policy that reference <s3-bucket-path-prefix>. For each case, duplicate the two lines that reference the path prefix. For example:

    {
      "Resource":[
        "arn:aws:s3:::<mybucketname>/field-team/",
        "arn:aws:s3:::<mybucketname>/field-team/*",
        "arn:aws:s3:::<mybucketname>/finance-team/",
        "arn:aws:s3:::<mybucketname>/finance-team/*"
      ]
    }
    

Next steps

Finally, you’ll call the log delivery API to finish setting up delivery. See Step 4: Call the log delivery API.