DEV Community

loading...
AWS Community Builders

Cross account role access to S3 in another AWS account

Arun Kumar
AWS Community Builder
・1 min read

Scenario

Need to access S3 in a different AWS account from EC2 in your account.

Steps

  • For the EC2 role on the first AWS account, add the following in-line policy. (For the KMS key, make sure it is the one created for the same one as the target s3 bucket)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:List*",
                "s3:Put*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:ap-southeast-1:123456789:key/123ddwq-123d-123fd34-553f"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant",
                "kms:RetireGrant",
                "kms:ListRetirableGrants"
            ],
            "Resource": [
                "arn:aws:kms:ap-southeast-1:987654321:key/3136e26c-3144-12fd-432r4-34rf4244f"
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            },
            "Effect": "Allow"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode
  • On the Second AWS Account, IAM → Encryption Keys → Customer managed key, add the EC2 Account to allow access to S3.

  • Update the S3 bucket policy. Example below.

{
            "Sid": "Stmt1357935647218",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234556789:root"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket-name"
},
{
            "Sid": "Stmt1357935648634",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:root"
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
}
Enter fullscreen mode Exit fullscreen mode
  • Test and verify the access !

Discussion (0)