DEV Community

GargeeBhatnagar for AWS Community Builders

Posted on

Explore! Cross Accounts Access with IAM Roles from EC2 to S3 with Custom Managed Key

“ I have checked the documents of AWS to resolve the issue of accessing encrypted s3 bucket from ec2 server in cross accounts. So I checked for various solutions and found out that it can be possible using IAM roles and policies. Also adding the s3 bucket access role in KMS. Pricing of Amazon EC2 depends on usage of instance, S3 bucket as per storage size and KMS custom key costs $1 per key.”

AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions. IAM is an AWS service that is offered at no additional charge. To learn more, read the IAM.

In this post, you will get to know how to access cross accounts with IAM roles from ec2 to s3 with a custom managed key. Here I have used an ec2 server, a s3 bucket and a custom managed key which is able to add a key user as a s3 role to access s3 bucket from another account ec2 server.

Prerequisites

You’ll need an Amazon EC2 Server for this post. Getting started with amazon EC2 provides instructions on how to launch an EC2 Server.

You’ll need an Amazon Simple Storage Service for this post. Getting started with Amazon Simple Storage Service provides instructions on how to create a bucket in simple storage service.

You’ll need an AWS Key Management Service for this post. Getting started with AWS KMS provides instructions on how to create a custom key. For this blog, I assume that I have an ec2 server, a s3 bucket and a custom key created.

Architecture Overview

Image description
The architecture diagram shows the overall deployment architecture with data flow, amazon ec2, amazon s3, aws kms and IAM role.

Solution overview

The blog post consists of the following phases:

  1. Create IAM Policy and Role of S3 Bucket Access for Cross Account
  2. Create IAM Role for EC2 Service in Another Account
  3. Creating of Profile with Role ARN and Testing of Fetching Data from S3 Bucket to EC2 Server

I have a custom key, a ec2 server and a s3 bucket as below →
Image description
Image description
Image description
Image description
Image description
Image description
Image description
Image description

Phase 1: Create IAM Policy and Role of S3 Bucket Access for Cross Account

  1. Open the IAM console and create an IAM role for a trusted entity for another account. Also create a policy for s3 bucket access and attach it to the role. Image description Image description Image description Image description Image description Image description Image description Image description Image description

Phase 2: Create IAM Role for EC2 Service in Another Account

  1. Open the IAM console and create an IAM role for ec2 service. Add a custom inline policy as sts assume role with role arn create in first account. Then add a role to the ec2 server. Image description Image description Image description Image description Image description Image description Image description Image description Image description

Phase 3: Creating of Profile with Role ARN and Testing of Fetching Data from S3 Bucket to EC2 Server

Image description
Image description
Image description
Image description
Image description
Image description
Image description
Image description
Image description

Clean-up

Delete EC2 Instance, KMS Custom Key, IAM Role, IAM Policy, S3 Bucket.

Pricing

I review the pricing and estimated cost of this example.

Cost of EC2 Instance = $0.09

Cost of Key Management Service = $1.0

Cost of Data Transfer = $0.0

Cost of S3 = $0.01

Total Cost = $(0.09 + 1.0 + 0.0 + 0.01) = $1.1

Summary

In this post, I showed “how to access cross accounts with IAM roles from ec2 to s3 with a custom managed key”.

For more details on IAM, Checkout Get started IAM, open the IAM console. To learn more, read the IAM documentation.

Thanks for reading!

Connect with me: Linkedin
Image description

Top comments (0)