Not able to access S3 bucket from another AWS account in cross account scenario.

Question

Hi Team,

I have requirement to access S3 bucket which exists in AWS account (say Account A) from Account B using Athena. I had done following setup for this :-

In Account A:-
* Added bucket policy as below :- 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::user/cloud_user",
                    "arn:aws:iam:::root",
                    "arn:aws:iam:::role/GlueaccesstoS3"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::",
                "arn:aws:s3:::/*"
            ]
        }
    ]
}
* In Account B :-
Created a role named "GlueaccesstoS3" with following details :- 
1. added AWS managed policy AmazonS3FullAccess
2. added AWS managed policy AWSGlueServiceRole
3. added AWS managed policy AWSGlueConsoleFullAccess
4. added AWS managed policy AWSGlueServiceNotebookRole
5. added AWS managed policy AWSGlueConsoleSageMakerNotebookFullAccess
6. Also added customer inline policy with below info :-
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::/*"
        }
    ]
}

and, added below trust entities for this role in Account B:-
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::root",
                    "arn:aws:iam:::role/AWS-Data-Analytics",
                    "arn:aws:iam:::role/admin-All",
                    "arn:aws:iam:::root"
                ],
                "Service": "glue.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
* Then, in Account B, using AWS Glue's crawler, trying to create crawler by assigning Role "GlueaccesstoS3" and pointing S3 bucket of Account A.
* When I ran crawler in Account B, it is throwing error as "Crawler Error:
User does not have access to target s3:///"

Answer

Thanks @secondabhi_aws for your reply.
As of now, my bucket in Account A is set "Server-side encryption with Amazon S3 managed keys (SSE-S3)" with Bucket Key as enabled. Please find the attached screen-shot for your reference.

![Enter image description here](/media/postImages/original/IMGEsZXwleS-KgPUeBvRPw2g)

Do i need to make any changes here ?

Answer

You need to make sure of following points:

1. Account A s3 bucket must be SSE-KMS CMK or SSE-S3 key encrypted, it should not have SSE-KMS(aws/s3) encryption enabled as otherwise Account B role won't be able to access Account A bucket key(aws/s3) and bucket access would fail. SSE-KMS(aws/s3) key is AWS managed key and is unique for each account, it doesn't allow you to add resource policy granting other account access. Hence account A bucket must be SSE-KMS CMK or SSE-S3 encrypted. I'd suggest you to have Account A S3 bucket SSE-KMS CMK encrypted and then follow the next steps.

2. Account B:

- Role GlueaccesstoS3 has access to Account A S3 bucket
    - Role GlueaccesstoS3 has access to Account A s3 bucket KMS Key(if this bucket is SSE-KMS CMK) encrypted

3. Account A:

- S3 bucket policy should allow Account B role GlueaccesstoS3 required permission(GET/PUT etc) based on your exact requirement
    - S3 bucket KMS Key policy should allow Account B role GlueaccesstoS3 required permission(Encrypt, Decrypt, GenerateDataKey)

Hope you find this information helpful.

Comment here if you have additional questions, happy to help.

Abhishek

Not able to access S3 bucket from another AWS account in cross account scenario.

Relevant content