DEV Community

AWS Community Builders profile image Asis Sethi
Asis Sethi for AWS Community Builders

Posted on

Error: AmazonS3Exception “Access Denied with Status Code: 403” in Amazon Athena when I query a bucket in another account

#aws #devops #codequality #architecture

Assumptions:

  1. Account A (S3 Bucket )
  2. Account B (Athena query)

Let's start with Account A:

  1. Locate the S3 Bucket Object Permissions Tab
  2. Either edit ACL of the S3 Bucket Object or add a Bucket policy
  3. Under ACL add External AWS Account Canonical ID
  4. Edit Bucket policy by Using Policy Generator [https://awspolicygen.s3.amazonaws.com/policygen.html] 
{
 “Version”: “2012–10–17”,
 “Id”: “Policy1604525342797”,
 “Statement”: [
 {
 “Sid”: “Cross-Account-Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: [
 “arn:aws:iam::xaccountbxx:root”,
 “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 ]
 },
 “Action”: “s3:*”,
 “Resource”: “arn:aws:s3:::analytics-cross-account-s3access”
 },
 {
 “Sid”: “Cross-Account-Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: [
 “arn:aws:iam::xaccountbxx:root”,
 “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 ]
 },
 “Action”: “s3:GetObject”,
 “Resource”: “arn:aws:s3:::analytics-cross-account-s3access/*”
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode
  1. If KMS is Enabled on S3 Bucket, Add Key policy to Customer managed key 
{
 “Version”: “2012–10–17”,
 “Id”: “key-default-1”,
 “Statement”: [
 {
 “Sid”: “Enable IAM User Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::xaccountaxx:root”
 },
 “Action”: “kms:*”,
 “Resource”: “*”
 },
 {
 “Sid”: “Allow use of the key”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 },
 “Action”: [
 “kms:Encrypt”,
 “kms:Decrypt”,
 “kms:ReEncrypt*”,
 “kms:GenerateDataKey*”,
 “kms:DescribeKey”
 ],
 “Resource”: “*”
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

Let’s start with Account B:

  1. Attach below Policy to IAM User in Account B 
{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “VisualEditor0”,
 “Effect”: “Allow”,
 “Action”: [
 “s3:GetAccessPoint”,
 “s3:PutAccountPublicAccessBlock”,
 “s3:GetAccountPublicAccessBlock”,
 “s3:ListAllMyBuckets”,
 “s3:ListAccessPoints”,
 “s3:ListJobs”,
 “s3:CreateJob”
 ],
 “Resource”: “*”
 },
 {
 “Sid”: “VisualEditor1”,
 “Effect”: “Allow”,
 “Action”: “s3:*”,
 “Resource”: [
 “arn:aws:s3:::analytics-cross-account-s3access”,
 “arn:aws:s3:::analytics-cross-account-s3access/*”
 ]
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

2.If KMS is enabled attach another inline policy

{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “VisualEditor0”,
 “Effect”: “Allow”,
 “Action”: [
 “kms:DescribeCustomKeyStores”,
 “kms:ListKeys”,
 “kms:DeleteCustomKeyStore”,
 “kms:GenerateRandom”,
 “kms:UpdateCustomKeyStore”,
 “kms:ListAliases”,
 “kms:DisconnectCustomKeyStore”,
 “kms:CreateKey”,
 “kms:ConnectCustomKeyStore”,
 “kms:CreateCustomKeyStore”
 ],
 “Resource”: “*”
 },
 {
 “Sid”: “VisualEditor1”,
 “Effect”: “Allow”,
 “Action”: “kms:*”,
 “Resource”: “arn:aws:kms:ca-central-1:xaccountbxx:key/4bb–452e-8885”
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

lukeecart profile image

Planet scale DB alternative

Luke Cartwright -

ehienabs profile image

Deploying Amazon Managed Service for Apache Kafka (Amazon MSK) with CloudFormation

Ehi Enabs -

parth7802 profile image

Launch an Amazon VPC and EC2 instance using Cloudformation

Parth Patel -

shingaiz profile image

Ansible for Automated Ops & Maintenance: Deployment & Checklist

Shingai Zivuku -