General Policy
IAM Role + assume role is always preferred over access keys (if third party is on Amazon and their app can assumerole).
Access keys have to be rotated for best security practices, and they are harder to control/contain.
Approach
Assume you had access key on Account A.
You want access to a bucket on Account B
Assume Account B bucket=sample-logs, add the following into its Bucket Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:root"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::sample-logs"
},
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:root"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::sample-logs/*"
}
]
}
- Then on Account A, update user IAM inline policy with the below.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::sample-logs",
"arn:aws:s3:::sample-logs/*"
],
"Effect": "Allow"
}
]
}
Setting up IAM Users, Roles and bucket policy
If you need access keys, you need an IAM User + policy.
If a third party can assume role, you just need the role with sts:AssumeRole allowed for that account. You also need to update the s3 bucket policy to allow access from that account.
Top comments (0)