2 Respuestas
- Más nuevo
- Más votos
- Más comentarios
0
I found the problem. I had SSE encryption at bucket level but all objects had default S3 KMS key which doesn't allow objects to be shared outside that account.
respondido hace 2 años
0
Hi Alexa,
Glad you found your problem. One useful tip for setting up cross-account access via a resource policy (such as the bucket policy you've used):
Given Bucket/Resource in Account R and IAM Entity in Account A.
- Check the Resource Policy in Account R to ensure it allows access to the IAM Entity.
- If the Resource is encrypted, check the KMS Key as well. KMS Keys have Resource Policies and Grants that can be used to give cross-account access.
- Check the IAM Entity for the right permissions to access the Resource in Account R. I like to add the resource explicitly in the resource block here.
Note: Not all resources support resource policies for cross-account access and some resources have more complex access mechanisms (such as S3 ACLs). KMS Cross-Account Access: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
respondido hace 2 años
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año