By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access to S3 in root and child account through roles

0

Hello,

We have a root AWS account and a child account for another application called prod. I want to give IAM users Full S3 Access to all the buckets in both the root account and the prod account.

In order to achieve this, I have created a role in the prod account with the following policies:

  • AmazonS3FullAccess (AWS Managed Policy)
  • An Inline Policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

In the Trust Relationship for this role, I have the set the following trust relationship, so that users from the root account can access the buckets in the prod account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<root_account_id>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

Now, In the root account, I have attached the following policy to the user through a Group:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::<prod_account_id>:role/ProdS3FullAccessRole"
            ]
        }
    ]
}

The group also has policies attached for MFA and IAM ChangePassword.

When the user uses their Access Key and Secret Access Key to download files from a bucket in the root account, they get an Access Denied error. I can confirm that there is no Deny statement blocking any access to any bucket nor any bucket level policy. I am unable to find out what is wrong with the set up.

I'd really appreciate some help. Thank you in advance.

EDIT:

As suggested in answers below, I have also tried setting up a bucket policy in the root account, to grant access to the bucket for the Prod access role that gets assumed by the user. The user still gets an Access Denied error on trying to use the access keys to perform operations on a root S3 bucket, generated for their IAM user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<prod_account_id>:role/ProdS3FullAccessRole"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::<bucket-name>"
        }
    ]
}
Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementIAM Policies
Language
English
ShwetaJoshi
asked 20 days ago294 views
2 Answers
1

Hello.

Does this mean that I can access S3 in the prod account but not in the root account?
In that case, I thought that the problem could be solved by attaching an IAM policy for operating S3 to the IAM user of the root account.
In other words, I thought it was necessary to use the following policy to allow not only "AssumeRole" but also S3 operations within my account.

{ 
    "Version": "2012-10-17",
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ "sts:AssumeRole" ], 
            "Resource": [ "arn:aws:iam::<prod_account_id>:role/BrighthubS3FullAccessRole" ]
        },
        {
            "Effect": "Allow", 
            "Action": [ "s3:*" ],
            "Resource": ["*"]
        }
    ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 20 days ago
  • ShwetaJoshi
    20 days ago

    Thank you for your response. I had tried this too. We have a Group in the root account to grant full s3 access to IAM Users in the root account. So along with adding the user to the group that grants access to the Prod S3, we also add the user to this group. But the user still got the same error.

  • Riku_Kobayashi EXPERT
    20 days ago

    With the AWS CLI, you can set the profile and Assume Role as shown below. As a result, in my environment, I can now operate the S3 buckets of Account A and Account B. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html

  • ShwetaJoshi
    20 days ago

    Thank you so much again! According to this link,

    The permissions of your IAM user and any roles that you assume are not cumulative. Only one set of permissions is active at a time. When you assume a role, you temporarily give up your previous user or role permissions and work with the permissions that are assigned to the role. When you exit the role, your user permissions are automatically restored.

    So, why isn't the user able to access a bucket in the root account with their access keys in the root account after the role has been attached? Apologies, I am just trying to understand this better.

  • Riku_Kobayashi EXPERT
    20 days ago

    Is access being denied due to the S3 bucket's bucket policy? Also, can I access the same S3 if I am a regular IAM user without cross-account setup? Make sure you have attached not only the "AssumeRole" but also the policy used to access S3.

  • ShwetaJoshi
    13 days ago

    Thank you for your response. There is no Bucket policy set up in any bucket in the prod or root account. The user is able to access the bucket in the root account if the cross account access role is removed. The moment that role is added, they can no longer access anything in the root account. I have also tried attaching the S3 policy as shown above in your answer, it still gives an Access denied error.

1

Remember that for the cross account you have to setup a bucket policy to allow access from the other account. If not it will not work, it's impossible, if other way you would be able to access any bucket in the world.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

Hope this helps.

Best

profile pictureAWS
JuanEn_G
answered 20 days ago
  • ShwetaJoshi
    20 days ago

    Thank you for your response. Here the user in the root account isn't able to access a bucket in the root account after giving them access to S3 in the prod account through a role.

  • ShwetaJoshi
    13 days ago

    This is exactly how it has been set up. In this example, the bucket policy has been added for an admin user in a third account to be able to upload objects. The setup between Account A and C is exactly what we have done for the root and prod accounts. The user is unable to access buckets in the root account, with the role they can access the prod account. How do I allow them to access S3 in both the root account and the prod account?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content