2 Answers
- Newest
- Most votes
- Most comments
0
I found the problem. I had SSE encryption at bucket level but all objects had default S3 KMS key which doesn't allow objects to be shared outside that account.
answered 2 years ago
0
Hi Alexa,
Glad you found your problem. One useful tip for setting up cross-account access via a resource policy (such as the bucket policy you've used):
Given Bucket/Resource in Account R and IAM Entity in Account A.
- Check the Resource Policy in Account R to ensure it allows access to the IAM Entity.
- If the Resource is encrypted, check the KMS Key as well. KMS Keys have Resource Policies and Grants that can be used to give cross-account access.
- Check the IAM Entity for the right permissions to access the Resource in Account R. I like to add the resource explicitly in the resource block here.
Note: Not all resources support resource policies for cross-account access and some resources have more complex access mechanisms (such as S3 ACLs). KMS Cross-Account Access: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
answered 2 years ago
Relevant content
- What might cause an "Access Denied" error when creating a cloudfront s3 Origin using cloudformation?Accepted Answerasked a year ago
- asked 3 months ago
- asked 2 months ago
- AWS OFFICIALUpdated 21 days ago
- AWS OFFICIALUpdated 24 days ago
- What's the difference between Lambda function execution role permissions and invocation permissions?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago