- Newest
- Most votes
- Most comments
Hello.
- Configure bucket policies to restrict access to only the required roles in Account B.
As introduced in the document below, if you allow the ARN of account B's IAM role in the bucket policy, you will be able to access the S3 bucket cross-account.
https://repost.aws/knowledge-center/cross-account-access-s3
- Ensure compliance with the principle of least privilege.
The minimum privileges will vary depending on what your application and users do with S3.
Therefore, in order to investigate what kind of operations are being performed on S3, please use IAM Access Analyzer with the target IAM role to search for actions performed on S3.
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
- Monitor and audit access to this bucket. Any guidance or example policies would be appreciated.
If you want to check the access history to the S3 bucket, please obtain the access log.
If you want to check detailed actions, please obtain a CloudTrail trail.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html
Relevant content
- asked 3 years ago
- asked a year ago
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago