Scenario
Need to access S3 in a different AWS account from EC2 in your account.
Steps
- For the EC2 role on the first AWS account, add the following in-line policy. (For the KMS key, make sure it is the one created for the same one as the target s3 bucket)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:List*",
"s3:Put*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:ap-southeast-1:123456789:key/123ddwq-123d-123fd34-553f"
],
"Effect": "Allow"
},
{
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant",
"kms:RetireGrant",
"kms:ListRetirableGrants"
],
"Resource": [
"arn:aws:kms:ap-southeast-1:987654321:key/3136e26c-3144-12fd-432r4-34rf4244f"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Effect": "Allow"
}
]
}
On the Second AWS Account, IAM → Encryption Keys → Customer managed key, add the EC2 Account to allow access to S3.
Update the S3 bucket policy. Example below.
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234556789:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "Stmt1357935648634",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
- Test and verify the access !
Top comments (0)