2回答
- 新しい順
- 投票が多い順
- コメントが多い順
0
I found the problem. I had SSE encryption at bucket level but all objects had default S3 KMS key which doesn't allow objects to be shared outside that account.
回答済み 2年前
0
Hi Alexa,
Glad you found your problem. One useful tip for setting up cross-account access via a resource policy (such as the bucket policy you've used):
Given Bucket/Resource in Account R and IAM Entity in Account A.
- Check the Resource Policy in Account R to ensure it allows access to the IAM Entity.
- If the Resource is encrypted, check the KMS Key as well. KMS Keys have Resource Policies and Grants that can be used to give cross-account access.
- Check the IAM Entity for the right permissions to access the Resource in Account R. I like to add the resource explicitly in the resource block here.
Note: Not all resources support resource policies for cross-account access and some resources have more complex access mechanisms (such as S3 ACLs). KMS Cross-Account Access: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
回答済み 2年前
関連するコンテンツ
- AWS公式更新しました 2年前