Objective:
The objective of this blog is to explain about ways of accessing s3 bucket from one account to another account.
Basically there are two ways to achieve cross account access of s3 bucket.
- Use combination of Identity based policy and Resource based policy basically Grant access via Bucket policies
- Assume an IAM role
1st Way:
Use Identity based policy and Resource based policy.
.jpg)
Bucket Name: my-s3-bucket
User Alice IAM policy:S3 Bucket Policy:
2nd Way:
- Assume an IAM Role from account A, Create an IAM role in account B that has access to s3 bucket my-s3-bucket
- Also account B's IAM role must trust to account A i.e add Account A's account ID in trust policy.
- Obviously account A's user must have permission to assume role API call.
Account B's IAM role policy:
Account B's IAM role Trust relationship policy:
Account A's user Alice IAM policy:
When to Use Which Method?
Bucket Policy: Use this when you want to grant direct, persistent access to the S3 bucket for specific AWS accounts or IAM entities.
Cross-Account IAM Assume Role: Use this when you need temporary access(mostly when you want to access it programatically), want to enforce stricter security, or need to delegate access to multiple services beyond just S3.
Both methods are valid, and the choice depends on your specific use case and security requirements.
Few points to note here:
- When you assume a role(user, application or service), you give up your original permissions and take the permissions assigned to the role
- When using a resource based policy the principal doesn't have to give up his permissions
Access S3 bucket from member account with Resource based policy:
Publish S3 Event Notifications to SQS Queue
Thanks for reading!!
.jpg)
){kind=link}
0 Comments