We have a primary AWS account and a subsidiary account for a different application named 'prod'. To grant IAM users complete access to all S3 buckets in both accounts, I've established a role in the 'prod' account with these policies:
- AmazonS3FullAccess (AWS Managed Policy)
- An inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Additionally, I configured the trust relationship for this role to allow users from the primary account to access the buckets in the 'prod' account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<root_account_id>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
In the primary account, I attached the following policy to the users via a Group:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::<prod_account_id>:role/ProdS3FullAccessRole"
]
}
]
}
This group also includes policies for MFA and IAM password changes.
Despite these settings, when users try to download files from a bucket in the primary account using their Access Key and Secret Access Key, they receive an "Access Denied" error. I have verified that there are no 'Deny' statements or bucket-level policies obstructing access. I'm struggling to pinpoint the error in the setup.
