Document Bring Your Own Bucket Permission requirements

[MadsRC]

The documentation for "Bring Your Own Bucket" ingestion does not include any instructions for setting permissions required for buckets and KMS resources.

One use-case is an organisation where the AWS CloudTrail bucket is hosted in one account, but Matano is deployed somewhere else.

I'd create a PR with changes to the docs once I find out what permissions is required.

[timoguin]

For KMS, we implemented tag-based permissions, so as long as you add a matano:trusted = true to the KMS key, that will allow kms:Decrypt and kms:GenerateDataKey permissions. For cross-account keys, you'll need to allow these permissions from whatever AWS account Matano is running in.

For S3, it needs s3:GetObject*, s3:GetBucket*, and s3:List*. If the bucket is in the same account, this will work automatically, as the permissions are set via the transformer function's IAM role, which is managed by the CDK. For cross-account, I believe the bucket policy needs to allow these permissions from whatever account Matano is in.

For S3 access logs, I don't think cross-account access will currently work due to how object-ownership is set for them. They require an IAM role to be assumed for cross-account access because of this, which is not currently exposed as a configurable option.

That should be a sufficient start.