Control Tower AWS - Share s3 bucket

Question

I have recently started to use Control Tower from AWS to manage my multiple account environment.

My current question is: I have a bucket belonging to the master account that I would like to share console access with some of the accounts of the organization. How can I do that? I have tried adding a bucket policy specifying the accounts and an SSO permission set attached to that account granting access to the bucket but when accessing with that role to s3 I can't see that bucket.

I am able to access the bucket through CLI but not through console, though. I.e. When accessing with the assigned role through CLI I am able to do aws s3 ls s3://mybucket and it shows the folders inside it (other commands work as well). But when doing aws s3 ls the bucket is not listed.

bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Example permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "123456789101",
                    "112131415161",
                ]
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mybucket"
        }
    ]
}

permission set:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example",
         "Effect": "Allow",
         "Action": [
            "s3:*"
         ],
         "Resource": [
            "arn:aws:s3:::mybucket",
            "arn:aws:s3:::mybucket/*"
         ]
      }
   ]
}

Does anyone know how to allow the users to list it with the rest of the account buckets and through the console on the s3 page?

Thank you!!

Daiana

Answer 1

As I understand ControlTower, you are not supposed to do anything meaningful in the root account.

Also, there is no shared Console access unless you allow other users to "federate" into the very same account where the bucket was created. Using the ControlTower this is usually done via Single-Sign-On (SSO)

My suggestion is: Create a Shared Services/Resources account and allow access to those resources to any member of your organization. Do this by making use of the new AWS:PrincipalOrgID. For example, see this CloudFormation Snippet for a central SNS queue with sns:Publish permission from within the AWS organization.:

Resources:

  Topic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: Name
      TopicName: name

  TopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref Topic
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          # default permission allow same account: https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: "*"
            Action:
            - SNS:GetTopicAttributes
            - SNS:SetTopicAttributes
            - SNS:AddPermission
            - SNS:RemovePermission
            - SNS:DeleteTopic
            - SNS:Subscribe
            - SNS:ListSubscriptionsByTopic
            - SNS:Publish
            - SNS:Receive
            Resource: !Ref Topic
            Condition:
              StringEquals:
                AWS:SourceOwner: !Sub ${AWS::AccountId}        
          - Sid: SnsTopicPolicy
            Effect: Allow
            Principal:
              AWS: "*"
            Condition:
              StringEquals:
                # allow access from within your organization
                AWS:PrincipalOrgID: "o-xxxxxxxxxx"          
            Action: sns:Publish
            Resource: !Ref Topic