CODEWITHSUNDEEP
amazon-s3amazon-iamamazon-kms
Kiran
Kiran

Reputation: 879

Cross account file access in AWS S3

Currently my application is configured to use AWS with account AWS Payments.

We have a new requirement to upload file to S3 which is in different account AWS Orders.

I have created an S3 bucket in AWS Orders account and added another AWS use canonical account AWS Payments.

Using my application i am able to upload files to AWS Orders.

When I login into console with AWS Orders i am unable to download or view the file. Because it was created by account Payments? Do we need to add bucket policy?

Upvotes: 0

Views: 1644

Answers (2)

WaltDe
WaltDe

Reputation: 1832

Ah the old cross account S3 put without giving permissions back to the bucket owner. In short you can own the bucket but not have permission to files. To resolve this when you put the object across account you need to give the bucket owner access.

Documentation on granting cross-account permissions to put objects while ensuring the bucket owner still has full control.

You can ensure the bucket owner always has access be creating a deny statement for cross account put that do not grant full control to the owner.

To fix the objects already put, from the user that put the objects

aws s3api put-object-acl --acle bucket-owner-full-control --bucket BUCKET --key KEY

Upvotes: 1

Kartik Chadha
Kartik Chadha

Reputation: 11

To solve this problem, you need to create an IAM user in AWS Orders which has access to AWS Payments S3 Bucket. Then, Replicated the S3 Bucket and run a S3 Sync.

IAM Permissions Something like this - 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*",
                "arn:aws:s3:::bucket-name"
            ]
        }
    ]
}

Then, add this to the bucket policy to AWS Orders

{
            "Sid": "Permissions for AWS Payments account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AWS-Payments-Account-ID:root"
            },
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }

S3 Cross Account Replication - https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-walkthrough-2.html

S3 Sync - https://docs.aws.amazon.com/cli/latest/reference/s3/sync.html

BEAR IN MIND - If the parent bucket doesn't have read / write permissions, the child bucket will replicate everything including the permissions. So before trying this, please ensure AWS Payments bucket policy and then make changes.

Hope this helps! :)

Upvotes: 0

Related Questions