S3 bucket permissions to run CloudFormation from different accounts and create Lambda Funtions.


Not sure what I am missing but I keep getting permission denied errors when I launch CloudFormation using https URL Here are the details. I have a S3 bucket "mys3bucket" in ACCOUNT A. In this bucket, I have a CloudFormation template stored at s3://mys3bucket/project1/mycft.yml . The bucket us in us-east-1. It uses S3 Serverside Encryption using S3 key [not KMS] For this bucket, I have disabled ACLs , bucket and all objects are private but I have added a bucket policy which is as below:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_B_NUMBER:root" }, "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:GetObjectTagging", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mys3bucket", "arn:aws:s3:::mys3bucket/project1/*" ] } ] }

Now, I login to Account B --> CloudFormation --> Create new stack --> Template is Ready --> Amazon S3 URL and the I enter the object path to my template in this format https://mys3bucket.s3.amazonaws.com/project1/mycft.yml

When I click next, I get the following message on the same page as a banner in red

S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

Also, just for your information, I am able to list the bucket and objects from Account B if I use Cloud9 and run aws s3 ls s3://mys3bucket/project1/mycft.yml aws s3 cp s3://mys3bucket/project1/mycft.yml .

What am I missing? [I think this should work even when bucket is set a private but bucket policy allows cross-account access]. Does this use case require my bucket to be hosted as static website?

2 Answers

I found the problem. I had SSE encryption at bucket level but all objects had default S3 KMS key which doesn't allow objects to be shared outside that account.

answered 2 years ago

Hi Alexa,

Glad you found your problem. One useful tip for setting up cross-account access via a resource policy (such as the bucket policy you've used):

Given Bucket/Resource in Account R and IAM Entity in Account A.

  • Check the Resource Policy in Account R to ensure it allows access to the IAM Entity.
  • If the Resource is encrypted, check the KMS Key as well. KMS Keys have Resource Policies and Grants that can be used to give cross-account access.
  • Check the IAM Entity for the right permissions to access the Resource in Account R. I like to add the resource explicitly in the resource block here.

Note: Not all resources support resource policies for cross-account access and some resources have more complex access mechanisms (such as S3 ACLs). KMS Cross-Account Access: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions