How do I provide cross-account access to objects that are in Amazon S3 buckets?

9 minute read
0

I want to grant another AWS account access to an object that's in an Amazon Simple Storage Service (Amazon S3) bucket.

Short description

In Amazon S3, you can grant users in another AWS account granular cross-account access to objects that you own in your account.

Based on the type of access that you want to provide, use one of the following solutions to grant cross-account access to objects:

  • AWS Identity and Access Management (IAM) policies and resource-based bucket policies for programmatic-only access to S3 bucket objects
  • IAM policies and resource-based access control lists (ACLs) for programmatic-only access to S3 bucket objects
    Note: When the Bucket owner enforced setting is turned on, all bucket and object ACLs are deactivated. Therefore, you can't use ACLs to grant cross-account access. By default, all newly created buckets have the Bucket owner enforced setting turned on. To manage cross-account access, it's also a best practice to use IAM policies and bucket policies instead of ACLs. For more information, see Controlling ownership of objects and deactivating ACLs for your bucket.
  • Cross-account IAM roles for programmatic and console access to S3 bucket objects

If the requester is an IAM principal, then the account that owns the principal must grant the S3 permissions through an IAM policy. Based on your use case, the bucket owner must also grant permissions through a bucket policy or ACL. After access is granted, programmatic access of cross-account buckets is the same as access to the account buckets.

For cross-account access with Amazon S3 Access Points or AWS Key Management Service (AWS KMS), see Why are cross-account users getting Access Denied errors when they try to access S3 objects encrypted by a custom AWS KMS key?

For large data sets that you must access as cross-account objects, it's a best practice to use S3 Access Points. For more information, see Simplify and scale access management to shared datasets with cross-account Amazon S3 Access Points.

Resolution

IAM policies and resource-based bucket policies

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To manage cross-account access control and audit the S3 object's permissions, use resource-based bucket policies. Apply a bucket policy at the bucket level to define the following values:

  • Principal element: Who can access the objects inside the bucket
  • Resource element: The objects that they can access
  • Action element: How they can access the objects inside the bucket

When you apply a bucket policy at the bucket level, you can define granular access to different objects inside the bucket. You can also review the bucket policy to see who can access objects in an S3 bucket.

To use bucket policies to manage S3 bucket access, complete the following steps:
Note: In the following steps, Account A is your account, and Account B is the account that you want to grant object access to. 

  1. Create an S3 bucket in Account A.

  2. Create an IAM role or user in Account B.

  3. Give the IAM role in Account B permission to download (GetObject) and upload (PutObject) objects to and from a specific bucket. Use the IAM policy to also grant the IAM role in Account B permissions to call PutObjectAcl that grants object permissions to the bucket owner:

    {    "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": "arn:aws:s3:::AccountABucketName/*"
    
            }
        ]
    }

    Note: Update the policy to include your user variables. You can also limit access to a specific bucket folder that's in Account A. To limit access to a specific bucket folder, define the folder name in the Resource element, such as "arn:aws:s3:::AccountABucketName/FolderName/*". For more information, see How can I grant a user access to a specific folder in my Amazon S3 bucket? You can also create an IAM identity-based policy with the AWS CLI command create-policy.

  4. Configure the bucket policy for Account A to grant permissions to the IAM role or user that you created in Account B. Use this bucket policy to grant a user the permissions to GetObject and PutObject for objects in a bucket that's owned by Account A:

    {    "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::AccountB:user/AccountBUserName"
                },
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": [
                    "arn:aws:s3:::AccountABucketName/*"
                ]
            }
        ]
    }

    You can also create an Amazon S3 bucket policy with the AWS CLI command put-bucket-policy.

Note: To limit access to a specific bucket folder, define the folder name in the Resource element, such as "arn:aws:s3:::AccountABucketName/FolderName/*". When you use the s3:PutObject permission with a condition, the bucket owner has full control over the objects that other accounts upload. The PutObject API call enforces the ACL with specific headers. 

IAM policies and resource-based ACLs

You can also use object ACLs to manage permissions for specific scenarios. For more information, see When to use an ACL-based access policy (bucket and object ACLs).

Amazon S3 ACLs allow users to define only READ, WRITE, READ_ACP, WRITE_ACP, and FULL_CONTROL permissions sets. You can use only an account or one of the predefined Amazon S3 groups as a grantee for the Amazon S3 ACL. When you specify an email address or canonical user ID for an account, the ACL applies to all identities in the grantee account. For example, you can't use an ACL to restrict access to individual IAM users or roles. You also can't apply ACLs to different objects that share the same prefixes.

Note: The bucket owner might not have full control over the objects that the ACL grantee uploaded. This is because the ACL doesn't support the condition for the S3 operation that the ACL authorizes.

To use bucket and object ACLs to manage S3 bucket access, complete the following steps:

  1. Create an IAM role or user in Account B.
  2. Grant the role or user permissions to perform the required Amazon S3 operations. Users who call PutObject and GetObject must have the permissions that are listed in the Resource-based policies and IAM policies section.
  3. Configure the bucket ACL to include at least WRITE permission for Account B. This makes sure that Account B IAM roles or users can upload objects to a bucket that Account A owns:
    ...<AccessControlPolicy>
      <Owner>
        <ID> AccountACanonicalUserID </ID>
        <DisplayName> AccountADisplayName </DisplayName>
      </Owner>
      <AccessControlList>
    ...
        <Grant>
          <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
            <ID> AccountBCanonicalUserID </ID>
            <DisplayName> AccountBDisplayName </DisplayName>
          </Grantee>
          <Permission> WRITE </Permission>
        </Grant>
        ...
      </AccessControlList>
    </AccessControlPolicy>
    Note: To find your CanonicalUserID, see Finding an AWS account canonical user ID.
  4. Configure object ACLs to include at least READ permission for Account B. This allows IAM roles or users in Account B to download objects from a bucket that Account A owns:
    ...<AccessControlPolicy>
      <Owner>
        <ID> AccountACanonicalUserID </ID>
        <DisplayName> AccountADisplayName </DisplayName>
      </Owner>
      <AccessControlList>
    ...
        <Grant>
          <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
            <ID> AccountBCanonicalUserID </ID>
            <DisplayName> AccountBDisplayName </DisplayName>
          </Grantee>
          <Permission> READ </Permission>
        </Grant>
        ...
      </AccessControlList>
    </AccessControlPolicy>
    ACL permissions vary based on the S3 resource, bucket, or object that an ACL is applied to. For more information, see Access control list (ACL) overview. When you create your bucket or upload an object to an existing bucket, configure bucket and object ACLs. For more information, see Configuring ACLs.

Cross-account IAM roles

Not all AWS services support resource-based policies. Use cross-account IAM roles to centralize permission management when you provide cross-account access to multiple services. This method allows cross-account access to objects that another account or AWS service owns or uploaded. If you don't use cross-account IAM roles, then you must modify the object ACL. For more information, see How Amazon S3 authorizes a request for an object operation.

To use cross-account IAM roles to manage S3 bucket access, complete the following steps:

  1. Create an IAM role in Account A.
  2. Grant the role permissions to perform the required S3 operations. In the role's trust policy, grant a role or user from Account B permissions to assume the role in Account A:
    {  "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::AccountB:user/AccountBUserName"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    Note: IAM roles must have a trust policy that defines the principals who can assume the role and when the roles can assume them. IAM roles can have multiple permissions policies that define the permissions that a principal who assumes the role can perform and the resources they use. 
    You can also run the create-role AWS CLI command to create a role with the trust policy.
    The following access policy allows a user who assumed this role to programmatically download and upload objects through the Amazon S3 console. For more information, see How can I grant a user access to a specific folder in my Amazon S3 bucket?
    Note: If only programmatic access is required, then you can remove the first two statements in the policy:
    {    "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "s3:ListAllMyBuckets"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::*"
                ]
            },
            {
                "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::AccountABucketName"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                "Resource": "arn:aws:s3:::AccountABucketName/*"
            }
        ]
    }
    Or, run create-policy AWS CLI command to create an IAM identity-based policy.
  3. Grant an IAM role or user in Account B permissions to assume the IAM role that you created in Account A. You must add the following example policy as a permissions policy of the IAM user or role:
    {  "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::AccountA:role/AccountARole"
      }
    }
    Or, run the create-policy AWS CLI command to create an IAM identity-based policy.
  4. From a role in Account B, assume the role in Account A so that IAM identities in Account B can perform the required S3 operations. For more information, see Switching to a role (Console).
    Note: When you assume an IAM role in Account A, Amazon S3 determines the operation based on the access policy. The IAM role works as an API call that a local IAM identity in Account A invoked. A bucket policy or an ACL for cross-account access isn't required. For more information, see Amazon S3 actions.

Related information

Actions, resources, and condition keys for Amazon S3

Bucket policy examples

Access policy guidelines

Setting up for cross-account native backup and restore in Amazon RDS for Microsoft SQL Server

User and role policy examples

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago