2 Respostas
- Mais recentes
- Mais votos
- Mais comentários
0
I found the problem. I had SSE encryption at bucket level but all objects had default S3 KMS key which doesn't allow objects to be shared outside that account.
respondido há 2 anos
0
Hi Alexa,
Glad you found your problem. One useful tip for setting up cross-account access via a resource policy (such as the bucket policy you've used):
Given Bucket/Resource in Account R and IAM Entity in Account A.
- Check the Resource Policy in Account R to ensure it allows access to the IAM Entity.
- If the Resource is encrypted, check the KMS Key as well. KMS Keys have Resource Policies and Grants that can be used to give cross-account access.
- Check the IAM Entity for the right permissions to access the Resource in Account R. I like to add the resource explicitly in the resource block here.
Note: Not all resources support resource policies for cross-account access and some resources have more complex access mechanisms (such as S3 ACLs). KMS Cross-Account Access: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
respondido há 2 anos
Conteúdo relevante
- AWS OFICIALAtualizada há 10 meses
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 meses