By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to optimize Amazon S3 bucket policies for secure cross-account access?

0

I have an Amazon S3 bucket in Account A that needs to be accessed by specific IAM roles in Account B. I’m looking for best practices to: 1. Configure bucket policies to restrict access to only the required roles in Account B. 2. Ensure compliance with the principle of least privilege. 3. Monitor and audit access to this bucket. Any guidance or example policies would be appreciated.

asked 10 days ago25 views
1 Answer
0
Accepted Answer

Hello.

  1. Configure bucket policies to restrict access to only the required roles in Account B.

As introduced in the document below, if you allow the ARN of account B's IAM role in the bucket policy, you will be able to access the S3 bucket cross-account.
https://repost.aws/knowledge-center/cross-account-access-s3

  1. Ensure compliance with the principle of least privilege.

The minimum privileges will vary depending on what your application and users do with S3.
Therefore, in order to investigate what kind of operations are being performed on S3, please use IAM Access Analyzer with the target IAM role to search for actions performed on S3.
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

  1. Monitor and audit access to this bucket. Any guidance or example policies would be appreciated.

If you want to check the access history to the S3 bucket, please obtain the access log.
If you want to check detailed actions, please obtain a CloudTrail trail.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html

profile picture
EXPERT
answered 9 days ago
profile picture
EXPERT
reviewed 3 days ago
profile picture
EXPERT
reviewed 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions