How to grant cross account S3 bucket access
Published in
2 min readJan 7, 2021
General Policy
- IAM Role + assume role is always preferred over access keys (if third party is on Amazon and their app can assumerole).
- Access keys have to be rotated for best security practices, and they are harder to control/contain.
Approach
Assume you had access key on Account A.
You want access to a bucket on Account B
Assume Account B bucket=sample-logs, add the following into its Bucket Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:root"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::sample-logs"
},
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:root"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::sample-logs/*"
}
]
}
Then on Account A, update user IAM inline policy with the below.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::sample-logs",
"arn:aws:s3:::sample-logs/*"
],
"Effect": "Allow"
}
]
}
Setting up IAM Users, Roles and bucket policy
If you need access keys, you need an IAM User + policy.
If a third party can assume role, you just need the role with sts:AssumeRole allowed for that account. You also need to update the s3 bucket policy to allow access from that account.