cross account s3 access

Question

How to provide access to S3 buckets in a different AWS account

Riku_Kobayashi · Answer

Hello.

There are several ways to allow cross-account access to S3, but I think the easiest is to use a bucket policy to allow IAM roles from other accounts.  
The following documentation provides example configurations.  
https://repost.aws/knowledge-center/cross-account-access-s3

Kyuseong_H · Answer

### Bucket Policy Example
Add the following bucket policy in Account A to allow access from Account B.
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
      },
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}
```

### IAM Policy Example
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}
```

### IAM Role (AssumeRole) Example
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

```

### Important note on access evaluation:

Same account: Either an IAM policy or a bucket policy alone is sufficient.
    Cross-account: Both the requester's IAM policy and the bucket policy must explicitly allow the action.

For more details, please refer to: https://repost.aws/knowledge-center/cross-account-access-s3

cross account s3 access

Bucket Policy Example

IAM Policy Example

IAM Role (AssumeRole) Example

Important note on access evaluation:

添加回答

相关内容