AWS CrossAccount S3 PutObject from Lambda in another account

Question

I am trying to put a text file from Lambda which is in Account A to S3 bucket in account B. S3 bucket(test-bucket) is having AWS-KMS encryption enabled. I added below permissions :

1. Added below bucket policy to S3 bucket in Account B:

    {"Version": "2012-10-17",
    "Id": "ExamplePolicy",
    "Statement": [
        {
            "Sid": "ExampleStmt",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountA:role/Lambda-Role"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test-bucket/*"
        }
    ]
   

   }

2. Added below policy in KMS key:

    "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountB:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountA:role/Lambda-Role"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
   

   }

3. Added below Inline policy in Account A - Lambda Role and gave access to KMS key:

{"Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey",
                "kms:ReEncrypt*"
            ],
            "Resource": [
                "arn:aws:kms:us-west-2:AccountB:key/KMS-ID"
            ]
        }
    ]
}

Files are also uploading in Account B S3 Bucket but not able to view/download any of those files. Gets this error:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>5H3KEXCJ7YSCJS</RequestId>
<HostId>hqwavZZo6D0asdddcvfff+prEtoBCwTFH0AYtzzzzzztqAaPflzs85aaaaa=</HostId>
</Error>

When I checks the file properties it has : Server-side encryption- Access denied. Don't know what am I missing here. Someone please guide.

Answer 1

I found the solution. I only needed to add ACL='bucket-owner-full-control' in the put_object. Below is the complete boto3 cmd.

s3.put_object(
    ACL='bucket-owner-full-control'
    Body=processed_content,
    Bucket=processed_bucket,
    Key=processed_key)

Answer 2

One thing missing in Account A - Lambda Role is - it should have permission to access the bucket in account B even though the bucket policy in Account-B allows it.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::AccountABucketName"
                "arn:aws:s3:::AccountABucketName/*"
            ]
 
        }
    ]
}

And to List the files in the bucket you should also add "Resource": "arn:aws:s3:::test-bucket as well