- Newest
- Most votes
- Most comments
You can use the request context condition key aws:PrincipalOrgID to identify all principals (IAM users, IAM roles, and root users) in all the AWS accounts in your entire AWS Organizations organisation. In the example below, you'll need to replace o-xxxxxxxxxxx with the ID of your org, which you can find in the AWS Organizations console in any member account, and MY-BUCKET-NAME with the name of your S3 bucket.
There is no way to make the bucket visible in the bucket list in the S3 console in any AWS account other than the one that owns the bucket. The ListBuckets API call (https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) is hardwired to recognise only buckets in the caller's local AWS account. The users can still browse the bucket's contents in the console, if you provide them with a URL pointing them to the root of the bucket or another location inside the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowBucketReads",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetBucketLocation", "s3:ListBucket"],
"Resource": "arn:aws:s3:::MY-BUCKET-NAME",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxxx"
}
}
}, {
"Sid": "AllowObjectReads",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY-BUCKET-NAME/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxxx"
}
}
}
]
}
Hi,
You can add a condition on the organizationID in the bucket policy.
if you want a finer grained access, you can also use tags both on roles & resources then compare in conditions with aws:PrincipalTag/tag-key.
Relevant content
- asked 6 months ago
