Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I grant cross-account access to objects that are in Amazon S3 buckets?

9 minute read

I want to grant another AWS account access to an object that's in an Amazon Simple Storage Service (Amazon S3) bucket.

Short description

In Amazon S3, you can grant users in another account cross-account access to objects that you own in your account.

Based on the type of access that you want to provide, use one of the following methods to grant cross-account access to objects:

AWS Identity and Access Management (IAM) policies and resource-based bucket policies for programmatic-only access to S3 bucket objects.
IAM policies and resource-based access control lists (ACLs) for programmatic-only access to S3 bucket objects.
Note: When the Bucket owner enforced setting is turned on, all bucket and object ACLs are deactivated. So, you can't use ACLs to grant cross-account access. By default, all newly created buckets have the Bucket owner enforced setting turned on. To manage cross-account access, it's also a best practice to use IAM policies and bucket policies instead of ACLs. For more information, see Controlling ownership of objects and deactivating ACLs for your bucket.
Cross-account IAM roles for programmatic and console access to S3 bucket objects.

If the requester is an IAM principal, then the account that owns the principal must use an IAM policy to grant the S3 bucket permissions. Based on your use case, the bucket owner must also use a bucket policy or ACL to grant permissions. After you grant access, programmatic access of cross-account buckets is the same as access to the account buckets.

For cross-account access with Amazon S3 access points or AWS Key Management Service (AWS KMS), additional configuration is required. For more information, see Why are cross-account users getting Access Denied errors when they try to access S3 objects encrypted by a custom AWS KMS key?

For large data sets that you must access as cross-account objects, it's a best practice to use S3 access points. For more information, see Simplify and scale access management to shared datasets with cross-account Amazon S3 access points.

Resolution

IAM policies and resource-based bucket policies

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To manage cross-account access control and audit the S3 object's permissions, use resource-based bucket policies. Apply a bucket policy at the bucket level to define the following values:

Principal element: Who can access the objects inside the bucket
Resource element: The objects that they can access
Action element: How they can access the objects inside the bucket

When you apply a bucket policy at the bucket level, you can define access to different objects inside the bucket. You can also review the bucket policy to see who can access objects in an S3 bucket.

To use bucket policies to manage S3 bucket access, complete the following steps:

Note: In the following steps, Account A is your account, and Account B is the account that you want to grant object access to.

Create an S3 bucket in Account A.
Create an IAM user or role in Account B.

Give the IAM user or role in Account B GetObject and PutObject permissions. Also, grant the IAM user or role permission to call PutObjectAcl that grants object permission to the bucket owner:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::AccountABucketName/*"
        }
    ]
}

Note: In the preceding policy, replace the example values your user values.
You can also limit access to a specific bucket folder that's in Account A. To limit access, define the folder name in the Resource element, such as "arn:aws:s3:::AccountABucketName/FolderName/*". For more information, see How can I grant a user access to a specific folder in my Amazon S3 bucket? You can also run the create-policy AWS CLI command to create an IAM identity-based policy.

Configure the bucket policy for Account A to grant GetObject and PutObject permissions to the IAM user or role that you created in Account B:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountB:user/AccountBUserName"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::AccountABucketName/*"
            ]
        }
    ]
}

You can also run the put-bucket-policy AWS CLI command to create an S3 bucket policy.

To limit access to a specific bucket folder, define the folder name in the Resource element, such as "arn:aws:s3:::AccountABucketName/FolderName/*". When you use the s3:PutObject permission with a condition key, the bucket owner has full control over the objects that other accounts upload. The PutObject API call enforces the ACL with specific headers.

IAM policies and resource-based ACLs

You can also use object ACLs to manage permissions for specific scenarios.

Amazon S3 ACLs allow users to define only READ, WRITE, READ_ACP, WRITE_ACP, and FULL_CONTROL permission sets. You can use only an account or one of the predefined Amazon S3 groups as a grantee for the Amazon S3 ACL. When you specify an email address or canonical user ID for an account, the ACL applies to all identities in the grantee account. For example, you can't use an ACL to restrict access to individual IAM users or roles. You also can't apply ACLs to different objects that share the same prefixes.

Note: The bucket owner might not have full control over the objects that the ACL grantee uploaded. This is because the ACL doesn't support the condition for the S3 operation that the ACL authorizes.

To use bucket and object ACLs to manage S3 bucket access, complete the following steps:

Create an IAM user or role in Account B.
Grant the user or role permissions to perform the required Amazon S3 operations. Users who call PutObject and GetObject must have the permissions that are listed in the Resource-based policies and IAM policies section.

Configure the bucket ACL to include at least WRITE permission for Account B. This makes sure that Account B IAM users or roles can upload objects to a bucket that Account A owns:

...<AccessControlPolicy>
  <Owner>
    <ID> AccountACanonicalUserID </ID>
    <DisplayName> AccountADisplayName </DisplayName>
  </Owner>
  <AccessControlList>
...
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID> AccountBCanonicalUserID </ID>
        <DisplayName> AccountBDisplayName </DisplayName>
      </Grantee>
      <Permission> WRITE </Permission>
    </Grant>
    ...
  </AccessControlList>
</AccessControlPolicy>

Note: To find your CanonicalUserID, see Finding an AWS account canonical user ID.

Configure object ACLs to include at least READ permission for Account B. This allows IAM roles or users in Account B to download objects from a bucket that Account A owns:

...<AccessControlPolicy>
  <Owner>
    <ID> AccountACanonicalUserID </ID>
    <DisplayName> AccountADisplayName </DisplayName>
  </Owner>
  <AccessControlList>
...
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID> AccountBCanonicalUserID </ID>
        <DisplayName> AccountBDisplayName </DisplayName>
      </Grantee>
      <Permission> READ </Permission>
    </Grant>
    ...
  </AccessControlList>
</AccessControlPolicy>

ACL permissions vary based on the S3 resource, bucket, or object that an ACL is applied to. For more information, see Access control list (ACL) overview. When you create your bucket or upload an object to an existing bucket, configure bucket and object ACLs.

Cross-account IAM roles

Not all AWS services support resource-based policies. Use cross-account IAM roles to centralize permission management when you provide cross-account access to multiple services. This method allows cross-account access to objects that another account or AWS service owns or uploaded. If you don't use cross-account IAM roles, then you must modify the object ACL. For more information, see How Amazon S3 authorizes a request for an object operation.

To use cross-account IAM roles to manage S3 bucket access, complete the following steps:

Create an IAM role in Account A.

Grant the role permissions to perform the required S3 operations. In the role's trust policy, grant a user or role from Account B permissions to assume the role in Account A:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountB:user/AccountBUserName"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Note: IAM roles must have a trust policy that defines the principals who can assume the role and when the roles can assume them. IAM roles can have multiple permissions policies that define the permissions that a principal who assumes the role can perform and the resources they use. You can also run the create-role AWS CLI command to create a role with the trust policy.

The following access policy allows a user who assumed the role to use the Amazon S3 console to programmatically download and upload objects. For more information, see How can I grant a user access to a specific folder in my Amazon S3 bucket?

Note: If only programmatic access is required, then you can remove the first two statements in the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::AccountABucketName"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::AccountABucketName/*"
        }
    ]
}

You can also run the create-policy AWS CLI command to create an IAM identity-based policy.

Grant an IAM role or user in Account B permission to assume the IAM role that you created in Account A. You must add the following example policy as a permissions policy to the IAM user or role:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::AccountA:role/AccountARole"
    }
}

You can also run the create-policy AWS CLI command to create an IAM identity-based policy.

From a role in Account B, assume the role in Account A so that IAM identities in Account B can perform the required S3 operations.
Note: When you assume an IAM role in Account A, Amazon S3 determines the operation based on the access policy. The IAM role works as an API call that a local IAM identity in Account A invoked. A bucket policy or an ACL for cross-account access isn't required. For more information, see Policy actions for Amazon S3.