By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Sharing resources between management account and child account in AWS organizations

1

I am working on creating an AWS organization for my team. Currently, we have many S3 buckets and some resources on Sagemaker (e.g., notebook instances). I created the organizational units and new accounts for each team member. When I tried to share S3 buckets within the team accounts, I followed this tutorial that explains how to use aws:PrincipalOrgPaths and S3 bucket policies. After adding a policy that allows ListBucket, I can view the bucket content using the link of the bucket. However, I can't see the bucket itself in the child account list of buckets. Is this something expected? If not, how can I view all of the available shareable buckets from the management account?

A second question is, if the bucket policies are the way to share buckets, would I need to create one policy for each bucket? or there is a more elegant solution to add more buckets? I tried to add a service control service with explicit allow for s3:ListAllMyBuckets and s3:* and then attached it to the organizational unit. However, I still can't see any of the buckets in the management account. Do you have any suggestions?

Topics
Security, Identity, & ComplianceMachine Learning & AIManagement & Governance
Tags
AWS Identity and Access ManagementAmazon SageMakerAWS OrganizationsAWS Account Management
Language
English
Omar Khater
asked 6 months ago240 views
1 Answer
0

Hello Omar, When you share an S3 bucket from one account to another using bucket policies and aws:PrincipalOrgPaths, the bucket will not appear in the child account's S3 console as if it were owned by the child account. The bucket will continue to appear in the S3 console of the account where it is created. The ListBucket permission in the bucket policy allows the child account to access the contents of the bucket but does not make it visible in the S3 console of the child account. So, not being able to see the shared S3 buckets in the child accounts' list of buckets, is expected.

If you want to have a centralized view of all shareable buckets from the management account, you would need to create a centralized management system or use AWS services like AWS Organizations to create multiple accounts and AWS Resource Access Manager (RAM) to manage shared resources across them.

For your other question, if the buckets you are trying to share can have the same permissions, you can create a single bucket policy that allows the necessary permissions for the buckets you want to share. Then, use variables like "aws:Requester" or "aws:PrincipalOrgPaths" in your bucket policy to specify which accounts or organizational paths have access to the bucket.

Hope this could help! :D

Sources: https://docs.aws.amazon.com/it_it/controltower/latest/userguide/what-is-control-tower.html

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html

https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs

Christian Squadritti
answered 6 months ago
profile picture
EXPERT
Steve_M
reviewed 6 months ago
  • Omar Khater
    6 months ago

    Thank you for your answer. Could you give me any doc for having a centralized view of all shareable buckets using AWS RAM? I can only see S3 outposts in the list of shareable resources using RAM.

    Also, can I share an existing Sagemaker notebook instance within the management account with the members of the organization? In the list, I can only see Sagemaker pipelines and some other features not including notebook instances.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content