Reputation: 865
AWS s3 cross-account policy to ensure that all accounts can read
I have multiple AWS accounts. Let's say account A, B and C, with IAM users IA, IB and IC. There's an S3 bucket in B, S3B. I have this configured so that if IB puts a file in S3B, all three users can read it. I've been able to further configure it such that IA and IC can upload -- but then only they can read those files. I was able to put a restriction on it such that IA and IC must grant IB permissions to read as well -- however, granting this still doesn't allow the other of IA or IC to read it, and requires the right call from the client code.
Is there any way to allow IA and IC to upload and automatically grant permissions such that all three accounts have read access?
thanks!
Upvotes: 2
Views: 1011
Answers (2)
Reputation: 2249
You can achieve this through Bucket Policies which are managed at the S3 Bucket level and are separate from Identity Access Management (IAM). The union of access between IAM, Bucket Policies, and Object Access Controls (File/Object Level) will grant the Principal (User or Group) access. Make sure there are no explicit denies as any explicit deny will trump any access permissions.
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
Upvotes: 1
Reputation: 269470
Your question is rather confusing, but I shall assume that you are asking how to permit users in other AWS accounts access to an Amazon S3 bucket (including creation and reading of files).
You have:
- User-A in Account-A
- Bucket-B in Account-B
First, you will need to add a policy to Account B that permits access by User-A. It would look something like:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-b",
"arn:aws:s3:::bucket-b/*"
],
"Principal": "arn:aws:iam::<Account-A>:user/User-A"
}
]
}
Note that this policy is on Bucket-B in Account-B, but it is granting access to User-A in Account-A.
Second, User-A requires permission to use S3. This might already be granted to the user, but it's worth mentioning because they need to be granted permission to actually call S3. Here is a sample of a policy they would need:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-b",
"arn:aws:s3:::bucket-b/*"
]
}
]
}
To clarify: If they already have a policy that lets them call S3 on any bucket (eg s3:* on Resource: *), then they will not need the above policy since they already have permissions to call S3.
But...
If you are actually trying to limit things so that files uploaded by User-A are read-only to User-B and files created by User-B are read-only to User-A, this is a lot harder and is best avoided unless you write your own management application or use separate paths to control permissions.
Upvotes: 1
Related Questions
- AWS S3 cross account policy
- Role-based cross-account S3 access
- IAM Role policy for cross account access to S3 bucket in a specific AWS account
- Give S3 Full access cross account
- Allow access to S3 Bucket from all EC2 instances of specific Account
- Amazon S3 access for other AWS accounts
- AWS S3 bucket control policy for cross-account access
- S3 cross account access involving 3 accounts
- Setting policy for S3 bucket for authorized users
- AWS S3 Policy for authenticated users