Granting Cross-Account Access to AWS S3 Buckets

In this blog, I’m going to demonstrate setting up cross-account access to an AWS S3 Bucket. In this method we will use IAM Roles to manage access to an S3 Bucket. With using this method you can grant permissions to multiple S3 Buckets in another account.

In the scenario of our example case; we will have 2 AWS account: Account A & Account B

Account A will maintain our IAM resources e.g. IAM Users.

Account B will hosts the S3 Bucket.

Setting Up the Account B (S3 Host Account)

In Account B we will set up the S3 Bucket and the Bucket Policy to allow access from Account A. After creating the S3 Bucket we need to add bucket policy. In the policy we need to use account number of the Account A and IAM user in Account A. But in Resource section of the policy we need to use the bucket in Account B.
This bucket policy gives the IAM Role or IAM User in Account A permission to Get and Put actions which is download and upload object to and from to the S3 bucket located in Account B.

{
  "Version": "2012-10-17",
  "Id": "Policy1608986742350",
  "Statement": [
    {
      "Sid": "Stmt1608986737474",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/engin-located-in-account-a"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::hoketech-located-in-account-b",
        "arn:aws:s3:::hoketech-located-in-account-b/*"
      ]
    }
  ]
}

Setting Up the Account A (User Maintainer Account)

In the IAM Console we can create a role or user to access S3 bucket which located in another account. We will proceed with creating a user. After creating the user, you need to set a policy to get and put objects to S3 Bucket.
You can use below policy by changing the bucket name.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1608988390883",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::hoketech-located-in-account-b",
        "arn:aws:s3:::hoketech-located-in-account-b/*"
      ]
    }
  ]
}

After creating the policy, go to policy actions, then Attach and select the user which you created before.

After these steps, the IAM User in Account A can access to objects located in bucket which is located in Account B.

Leave a Comment

Your email address will not be published. Required fields are marked *