S3 and Cross Account Access

S3 buckets provide a great way to share data in AWS.

While S3 buckets can be made public, at times the use-case warrants the accessibility to be more restrictive. If the bucket access policy is set to public, anyone from anywhere can read/write [based on the permissions] files inside the bucket.

Use Case

At times, one wants to keep the S3 bucket private. However, provide read access to an external account.

In such a scenario, one is tempted to update the permissions via the AWS Console.

S3 bucket -> Permissions -> Access Control List

First step would be to navigate to the Access Control List

Access other AWS accounts

Subsequent step would be to enter canonical ID of the account requesting access to that particular resource [S3 bucket in this case].

However, Access Control List is restrictive. It only provides permission to list object and write object. At the first glance this might seem exhaustive. But it isn’t.

Scenario

Consider a case where the external AWS account needs to copy the file from the S3 bucket. With just the permissions in the Access Control List, one can’t do that.

Solution

Update the S3 Bucket Access Policy.

Note:
- Resource varies based on Action.

While ListBucket action points to the ARN of the bucket, GetObject action has a different Resource value [bucket ARN/*]

For further details
Refer: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

To understand when to use ACL: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-alternatives-guidelines.html#when-to-use-acl