CODEWITHSUNDEEP
amazon-web-servicesamazon-s3policy
hightest
hightest

Reputation: 493

AWS S3 bucket - Allow download files to every IAM and Users from specific AWS Account

Look for a policy for S3 bucket that will allow all IAM roles and users from different account, to be able to download files from the bucket that is located in my AWS account.

Thanks for help

Upvotes: 0

Views: 2858

Answers (2)

saloua
saloua

Reputation: 2493

Fo that, you would need to provide a cross-account access to the objects in your buckets by giving the IAM role or user in the second Account permission to download (GET Object) objects from the needed bucket.

The following AWS post https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ provides details on how to define the IAM policy. In your case, you just need the Get object permission.

Upvotes: 1

Chris Williams
Chris Williams

Reputation: 35188

You can apply object level permissions to another account via a bucket policy.

By using the principal of the root of the account, every IAM entity in that account is able to interact with the bucket using the permissions in your bucket policy.

An example bucket policy using the root of the account is below.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },
         "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::awsexamplebucket1"
         ]
      }
   ]
}

More information is available in the Bucket owner granting cross-account bucket permissions documentation

Upvotes: 2

Related Questions