Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

how can I allow another account to write into resource policy of my account's S3

0

Hello,

I am trying to make Account A to modify resource policy of s3 bucket of account B

Topics
StorageSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon Simple Storage Service
Language
English
asked 9 months ago105 views
1 Answer
0

Hello.

To do this, I think you need to create an IAM role in account B that account A can use to establish a trust relationship.
I think the following document settings will be helpful.
https://repost.aws/knowledge-center/cross-account-access-iam
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html

In account B, create an IAM role with the following trust policy:
Also, attach an IAM policy to the IAM role you created to operate the bucket policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountAID:user/user-name"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

For the IAM user in Account A, set an IAM policy that allows them to AssumeRole the IAM role created in Account B as shown below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": [
        "arn:aws:iam::AccountBID:role/role-name"
      ]
    }
  ]
}
EXPERT
answered 9 months ago
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content