Access S3 bucket from other account from EC2 instance without bucket policy

0

Hi Team,

Please let us know is there a way to access S3 bucket in Account B from EC2 instance in Account A without using bucket policy.

Regards, Rajesh B

asked 7 months ago275 views
2 Answers
3
Accepted Answer

Yes, you can do that by IAM policies and resource-based ACLs or If that s3 bucket is public then also bucket policy would not be required. When I say public, depending on your use case, whether it's granted public access for read or write or both.

Please refer IAM policies and resource-based ACLs at cross account s3 bucket access.

But if either of these two options is not appropriate/feasible for use case, then answer would be no, you'll have to add bucket policy in Account B to allow the Account A EC2 Instance profile role. Also note that, ACLs are discouraged over bucket policy but if your use case has a requirement not to use bucket policy at all, then ACL is an option.

Also, note that cross account s3 access is only possible with SSE-S3 or SSE-KMS CMK, if bucket in account B is encrypted using AWS managed key SSE-KMS(aws/s3) then cross account s3 bucket access is not possible. Reason being AWS managed key(aws/s3) is unique for each account and can't be used by other account to encrypt objects.

With SSE-KMS CMK encrypted bucket, you'll have to add Account A EC2 Instance profile role in Account B KMS key policy too.

Hope you find this information helpful.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
answered 7 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 6 months ago
  • AES-256 is actually SSE-S3. aws/s3 comes into effect when using SSE-KMS where you can select aws/s3 which cant be used across accounts as you cant change the policy on this Key as its tide to the caller account.

0

Hi

What you can do is, from your EC2 instance, assume a IAM Role cross-account, then use the credentials from this role assumption to access the S3 bucket. You can check this article on how to setup cross account role assumption.

profile picture
EXPERT
answered 7 months ago
  • Hi JimmyDqv,

    i followed the assume role way. But it is throwing access denied error. When i added below in .aws/config then it worked when i tried aws s3 ls

    [profile s3access] role_arn = arn:aws:iam::123456789012:role/my_role

    credential_source = Ec2InstanceMetadata

    Please let me know if there is any alternative way without passing details in .aws/config for programmatic access.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions