ECHOKE
Guides

Granting Cross-Account Access to AWS S3 Buckets

Engin Can Höke
#aws#s3#iam#cross-account access

In this guide, we’ll demonstrate how to set up cross-account access to an AWS S3 bucket using IAM roles and policies. This method allows you to grant permissions to multiple S3 buckets in another account.

Scenario Overview

We have two AWS accounts:

Our goal is to allow an IAM user in Account A to access an S3 bucket in Account B.

Setting Up Account B (S3 Host Account)

  1. Create an S3 Bucket:

    In Account B, create the S3 bucket that you want to share access to.

  2. Add a Bucket Policy:

    Attach the following bucket policy to grant access to the IAM user in Account A. Replace 123456789012 with Account A’s ID, engin-located-in-account-a with the IAM user’s name, and hoketech-located-in-account-b with your bucket name.

    {
  "Version": "2012-10-17",
  "Id": "Policy1608986742350",
  "Statement": [
    {
      "Sid": "Stmt1608986737474",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/engin-located-in-account-a"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::hoketech-located-in-account-b",
        "arn:aws:s3:::hoketech-located-in-account-b/*"
      ]
    }
  ]
}

    This policy grants the specified IAM user permission to perform GetObject, PutObject, and PutObjectAcl actions on the bucket and its contents.

Setting Up Account A (User Maintainer Account)

  1. Create an IAM User:

    In Account A, create an IAM user (if not already existing) that requires access to the S3 bucket in Account B.

  2. Attach a Policy to the IAM User:

    Attach the following policy to the IAM user. Replace hoketech-located-in-account-b with the bucket name in Account B.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1608988390883",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::hoketech-located-in-account-b",
        "arn:aws:s3:::hoketech-located-in-account-b/*"
      ]
    }
  ]
}

    This policy allows the IAM user to perform the specified actions on the S3 bucket in Account B.

  3. Attach the Policy to the IAM User:

    After creating the policy, attach it to the IAM user created earlier.

Verification

After completing these steps, the IAM user in Account A should have the necessary permissions to access the S3 bucket in Account B. You can verify access by attempting to upload or download objects to/from the bucket using the IAM user’s credentials.

For more detailed information, refer to the official AWS documentation on Cross-Account Access.

← Blog'a Dön