DEV Community

AWS Community Builders profile image Arun Kumar
Arun Kumar for AWS Community Builders

Posted on

1 1

How to grant cross account S3 bucket access

#s3 #aws #crossaccount #iam

General Policy

IAM Role + assume role is always preferred over access keys (if third party is on Amazon and their app can assumerole).
Access keys have to be rotated for best security practices, and they are harder to control/contain.

Approach

  • Assume you had access key on Account A.

  • You want access to a bucket on Account B

  • Assume Account B bucket=sample-logs, add the following into its Bucket Policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1357935647218",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountA:root"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::sample-logs"
        },
        {
            "Sid": "Stmt1357935647218",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountA:root"
                ]
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::sample-logs/*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode
  • Then on Account A, update user IAM inline policy with the below. 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::sample-logs",
                "arn:aws:s3:::sample-logs/*"
            ],
            "Effect": "Allow"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Setting up IAM Users, Roles and bucket policy

  • If you need access keys, you need an IAM User + policy.

  • If a third party can assume role, you just need the role with sts:AssumeRole allowed for that account. You also need to update the s3 bucket policy to allow access from that account.

profile
Coherence
 Promoted

Billboard image

Deploy and scale your apps on AWS and GCP with a world class developer experience

Coherence makes it easy to set up and maintain cloud infrastructure. Harness the extensibility, compliance and cost efficiency of the cloud.

Learn more

Top comments (0)

profile
AWS Community Builders

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post

Read next

094459 profile image

Amazon Q Developer Tips: No.8 Understanding Context

Ricardo Sueiras -

bhatiagirish profile image

AWS Serverless Generative AI: Amazon Nova Reel Foundation Model with Bedrock and Lambda

Girish Bhatia -

siddhantkcode profile image

Querying S3 logs in a flash with DuckDB 🦆

Siddhant Khare -

dkechag profile image

Google Axion: A New Leader in ARM Server Performance

Dimitrios Kechagias -