Restrict S3 permissions to readonly for consumption role dataset sharing policy

[mourya-33]

… read only for consumption role

Feature or Bugfix

• Bugfix

Detail

• This PR will address the issue - 1226

Relates

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

• Does this PR introduce or modify any input fields or queries - this includes
  fetching data from storage outside the application (e.g. a database, an S3 bucket)? N/A
  • Is the input sanitized? N/A
  • What precautions are you taking before deserializing the data you consume? N/A
  • Is injection prevented by parametrizing queries? N/A
  • Have you ensured no eval or similar functions are used? N/A
• Does this PR introduce any functionality or component that requires authorization? N/A
  • How have you ensured it respects the existing AuthN/AuthZ mechanisms? N/A
  • Are you logging failed auth attempts? N/A
• Are you using or adding any cryptographic features? N/A
  • Do you use a standard proven implementations? Yes
  • Are the used keys controlled by the customer? Where are they stored? N/A
• Are you introducing any new policies/roles/users? No
  • Have you used the least-privilege principle? How? Yes, restricted the s3:* permissions to s3 readonly permissions

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[SofiaSazonova]

Checked.
Permissions are given according to PR.
User can list the objects in the bucket and download them.
When item is revoked, permissions are deleted correctly

[SofiaSazonova]

Checked.

1. Are we sure other permissions are not necessary (for Glue or smth else)
2. Why Describe* and List*. Maybe we can restrict more?

[mourya-33]

Hi @SofiaSazonova, thank you for approving the PR. I added the permissions to mimic the S3ReadOnly Managed Role. Should i drill this down further?