DEV Community

Arun Kumar for AWS Community Builders

Posted on

1 1

How to grant cross account S3 bucket access

General Policy

IAM Role + assume role is always preferred over access keys (if third party is on Amazon and their app can assumerole).
Access keys have to be rotated for best security practices, and they are harder to control/contain.

Approach

  • Assume you had access key on Account A.

  • You want access to a bucket on Account B

  • Assume Account B bucket=sample-logs, add the following into its Bucket Policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1357935647218",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountA:root"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::sample-logs"
        },
        {
            "Sid": "Stmt1357935647218",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountA:root"
                ]
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::sample-logs/*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode
  • Then on Account A, update user IAM inline policy with the below.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::sample-logs",
                "arn:aws:s3:::sample-logs/*"
            ],
            "Effect": "Allow"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Setting up IAM Users, Roles and bucket policy

  • If you need access keys, you need an IAM User + policy.

  • If a third party can assume role, you just need the role with sts:AssumeRole allowed for that account. You also need to update the s3 bucket policy to allow access from that account.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

Deploy Next JS app on AWS Amplify within 5 minutes with CI/CD

Learn how to deploy a Next.js app on AWS Amplify in 5 minutes with CI/CD by following this step-by-step tutorial that includes modifying build scripts and testing the deployment.

Read full post

πŸ‘‹ Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay