By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I access a bucket in another account using an S3 access point restricted to a VPC?

4 minute read
0

I have an AWS Identity and Access Management (IAM) entity and bucket in different AWS accounts. I want to grant the IAM entity cross-account access to the bucket using an Amazon Simple Storage Service (Amazon S3) access point restricted to an Amazon Virtual Private Cloud (Amazon VPC).

Resolution

To grant an IAM role or user in an AWS account (Account A) access to an Amazon S3 bucket in another AWS account (Account B) using an S3 access point restricted to an Amazon VPC, do the following:

  1. Create and attach an Amazon S3 access point to the bucket in Account B.
  2. Create an Amazon S3 VPC Gateway endpoint in Account A.
  3. Attach the access point, Bucket, and IAM policies.

Create and attach an Amazon S3 access point to bucket in Account B

  1. Open the Amazon S3 console.
  2. In the navigation pane, choose Access Points.
  3. Choose Create access point.
  4. For Access point name, enter a name for the access point. For more information, see Rules for naming Amazon S3 access points.
  5. For Bucket name, enter the name of the bucket from Account B you want to attach the access point to.
  6. Choose Virtual Private Cloud (VPC) for Network Origin.
  7. For VPC ID, enter the VPC ID from the first AWS account (Account A).
  8. Under Block Public Access settings for this Access Point, choose the block public access settings you want to apply to the access point. 
    Note: Amazon S3 currently doesn't support changing an access point's block public access settings after the access point has been created.
  9. Leave Access Point policy blank.
  10. Choose Create access point.

Create an Amazon S3 VPC Gateway endpoint in Account A

Create an S3 Gateway VPC endpoint in the initial AWS account (Account A) in the same Region as the bucket you're granting cross-account access to.

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints.
  3. Choose Create endpoint.
  4. For Service category, choose AWS services.
  5. For Services, add the filter Type: Gateway and select the same region used to create the access point.
  6. For VPC, choose the same VPC used to create the access point.
  7. For Route tables, choose the route tables to be used by the endpoint.
  8. Choose Full access policy. Or, choose Custom and be sure the policy permits the required S3 actions.

Note: Gateway endpoints don't allow access from other AWS Regions. Below is an example VPC endpoint policy that permits all S3 actions to all buckets:

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Principal": "*",
		"Action": "s3:*",
		"Resource": "arn:aws:s3:*"
	}]
}

Attach the access point, Bucket, and IAM policies

To allow the initial AWS account's (Account A) IAM entity cross-account access to the other AWS account's (Account B) bucket via the access point, you must grant permissions from the access point, bucket and IAM polices. Below are the policies that grant the required permissions for each.

Access point policy:

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "DelegateControlToAccessPoint",
		"Effect": "Allow",
		"Principal": {
			"AWS": [
				"arn:aws:iam::AccountA-ID:user/user1",
				"arn:aws:iam::AccountA-ID:role/role01"
			]
		},
		"Action": [
			"s3:ListBucket",
			"s3:PutObject",
			"s3:GetObject"
		],
		"Resource": [
			"arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-acess-point/object/*",
			"arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point"
		]
	}]
}

Note: This policy grants the IAM user or role from the source AWS account (Account A) permission to the access point in the target AWS account (Account B).

Bucket policy:

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AllowCrossAccountAccess",
		"Effect": "Allow",
		"Principal": {
			"AWS": [
				"arn:aws:iam::AccountA-ID:user/user1",
				"arn:aws:iam::AccountA-ID:role/role01"
			]
		},
		"Action": [
			"s3:GetObject",
			"s3:ListBucket",
			"s3:PutObject"
		],
		"Resource": [
			"arn:aws:s3:::my-bucket",
			"arn:aws:s3:::my-bucket/*"
		],
		"Condition": {
			"StringEquals": {
				"s3:DataAccessPointArn": "arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point"
			}
		}
	}]
}

Note: This policy grants the source AWS account's (Account A) IAM user permission to the bucket (Account B) by using the access point.

IAM policy

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AllowCrossAccountAccessToBucketAndAP",
		"Effect": "Allow",
		"Action": [
			"s3:ListBucket",
			"s3:PutObject",
			"s3:GetObject"
		],
		"Resource": [
			"arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point",
			"arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point/object/*",
			"arn:aws:s3:::my-bucket",
			"arn:aws:s3:::my-bucket/*"
		]
	}]
}

Note: This IAM policy attached to the source AWS account's (Account A) IAM role or user grants permission to the target AWS account's (Account B) bucket and access point.

AWS CLI command examples to perform S3 operations against the bucket using the access point:

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

List:

aws s3 ls arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point

Upload:

aws s3 cp file.txt s3://arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point

Download:

aws s3 cp s3://arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point file.txt

Note: The request must originate from an Amazon Elastic Compute Cloud (Amazon EC2) instance in the VPC and in the same region as the bucket.

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated a year ago
No comments

Relevant content