Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

S3 bucket permissions to run CloudFormation from different accounts and create Lambda Funtions.

0

Not sure what I am missing but I keep getting permission denied errors when I launch CloudFormation using https URL Here are the details. I have a S3 bucket "mys3bucket" in ACCOUNT A. In this bucket, I have a CloudFormation template stored at s3://mys3bucket/project1/mycft.yml . The bucket us in us-east-1. It uses S3 Serverside Encryption using S3 key [not KMS] For this bucket, I have disabled ACLs , bucket and all objects are private but I have added a bucket policy which is as below:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_B_NUMBER:root" }, "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:GetObjectTagging", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mys3bucket", "arn:aws:s3:::mys3bucket/project1/*" ] } ] }

Now, I login to Account B --> CloudFormation --> Create new stack --> Template is Ready --> Amazon S3 URL and the I enter the object path to my template in this format https://mys3bucket.s3.amazonaws.com/project1/mycft.yml

When I click next, I get the following message on the same page as a banner in red

S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

Also, just for your information, I am able to list the bucket and objects from Account B if I use Cloud9 and run aws s3 ls s3://mys3bucket/project1/mycft.yml aws s3 cp s3://mys3bucket/project1/mycft.yml .

What am I missing? [I think this should work even when bucket is set a private but bucket policy allows cross-account access]. Does this use case require my bucket to be hosted as static website?

Themen
SpeicherSicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAWS CloudFormation
Sprache
English
Alexa
gefragt vor 2 Jahren5544 Aufrufe
2 Antworten
0

I found the problem. I had SSE encryption at bucket level but all objects had default S3 KMS key which doesn't allow objects to be shared outside that account.

Alexa
beantwortet vor 2 Jahren
0

Hi Alexa,

Glad you found your problem. One useful tip for setting up cross-account access via a resource policy (such as the bucket policy you've used):

Given Bucket/Resource in Account R and IAM Entity in Account A.

  • Check the Resource Policy in Account R to ensure it allows access to the IAM Entity.
  • If the Resource is encrypted, check the KMS Key as well. KMS Keys have Resource Policies and Grants that can be used to give cross-account access.
  • Check the IAM Entity for the right permissions to access the Resource in Account R. I like to add the resource explicitly in the resource block here.

Note: Not all resources support resource policies for cross-account access and some resources have more complex access mechanisms (such as S3 ACLs). KMS Cross-Account Access: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

jsonc
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt