“ I have checked the documents of AWS to resolve the issue of accessing encrypted s3 bucket from ec2 server in cross accounts. So I checked for various solutions and found out that it can be possible using IAM roles and policies. Also adding the s3 bucket access role in KMS. Pricing of Amazon EC2 depends on usage of instance, S3 bucket as per storage size and KMS custom key costs $1 per key.”
AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions. IAM is an AWS service that is offered at no additional charge. To learn more, read the IAM.
In this post, you will get to know how to access cross accounts with IAM roles from ec2 to s3 with a custom managed key. Here I have used an ec2 server, a s3 bucket and a custom managed key which is able to add a key user as a s3 role to access s3 bucket from another account ec2 server.
You’ll need an Amazon EC2 Server for this post. Getting started with amazon EC2 provides instructions on how to launch an EC2 Server.
You’ll need an Amazon Simple Storage Service for this post. Getting started with Amazon Simple Storage Service provides instructions on how to create a bucket in simple storage service.
You’ll need an AWS Key Management Service for this post. Getting started with AWS KMS provides instructions on how to create a custom key. For this blog, I assume that I have an ec2 server, a s3 bucket and a custom key created.
The architecture diagram shows the overall deployment architecture with data flow, amazon ec2, amazon s3, aws kms and IAM role.
The blog post consists of the following phases:
- Create IAM Policy and Role of S3 Bucket Access for Cross Account
- Create IAM Role for EC2 Service in Another Account
- Creating of Profile with Role ARN and Testing of Fetching Data from S3 Bucket to EC2 Server
I have a custom key, a ec2 server and a s3 bucket as below →
Phase 1: Create IAM Policy and Role of S3 Bucket Access for Cross Account
- Open the IAM console and create an IAM role for a trusted entity for another account. Also create a policy for s3 bucket access and attach it to the role.
Phase 2: Create IAM Role for EC2 Service in Another Account
- Open the IAM console and create an IAM role for ec2 service. Add a custom inline policy as sts assume role with role arn create in first account. Then add a role to the ec2 server.
Phase 3: Creating of Profile with Role ARN and Testing of Fetching Data from S3 Bucket to EC2 Server
Delete EC2 Instance, KMS Custom Key, IAM Role, IAM Policy, S3 Bucket.
I review the pricing and estimated cost of this example.
Cost of EC2 Instance = $0.09
Cost of Key Management Service = $1.0
Cost of Data Transfer = $0.0
Cost of S3 = $0.01
Total Cost = $(0.09 + 1.0 + 0.0 + 0.01) = $1.1
In this post, I showed “how to access cross accounts with IAM roles from ec2 to s3 with a custom managed key”.
For more details on IAM, Checkout Get started IAM, open the IAM console. To learn more, read the IAM documentation.
Thanks for reading!
Connect with me: Linkedin
Latest comments (0)