Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

cross account s3 access

-2

How to provide access to S3 buckets in a different AWS account

Topics
Storage
Tags
Amazon S3 Access Grants
Language
English
asked 19 days ago44 views
2 Answers
0

Hello.

There are several ways to allow cross-account access to S3, but I think the easiest is to use a bucket policy to allow IAM roles from other accounts.
The following documentation provides example configurations.
https://repost.aws/knowledge-center/cross-account-access-s3

EXPERT
answered 19 days ago
EXPERT
reviewed 19 days ago
0

Bucket Policy Example

Add the following bucket policy in Account A to allow access from Account B.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
      },
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

IAM Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

IAM Role (AssumeRole) Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Important note on access evaluation:

Same account: Either an IAM policy or a bucket policy alone is sufficient.
Cross-account: Both the requester's IAM policy and the bucket policy must explicitly allow the action.

For more details, please refer to: https://repost.aws/knowledge-center/cross-account-access-s3

AWS
SUPPORT ENGINEER
answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content