mount.cifs
Reputation: 131
AWS S3 cross account policy
I would like to set a policy for a S3 bucket that is restricted to a VPC-ID(using a S3 endpoint). I have two accounts, A and B. I want a IAM user in A to access a bucket in B.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html
{ "Version": "2012-10-17", "Id": "Policy1415115909153", "Statement": [ { "Sid": "Access-to-specific-VPC-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::awsexamplebucket1", "arn:aws:s3:::awsexamplebucket1/*"], "Condition": { "StringNotEquals": { "aws:SourceVpc": "vpc-111bbb22" } } } ] }
Above won't work, but following will:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
],
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-111111111111"
}
}
}
]
}
Feels like best practices is to use a deny policy. Anyone has an idea why and how solve it?
Upvotes: 1
Views: 699
Answers (1)
mount.cifs
Reputation: 131
As pointed out you need to allow as-well. Combine both policies and it will work.
Upvotes: 1
Related Questions
- Cross account S3 access from the same AWS role
- aws s3 bucket policy
- Why is my S3 bucket policy denying cross account access?
- IAM Role policy for cross account access to S3 bucket in a specific AWS account
- Give S3 Full access cross account
- Amazon S3 access for other AWS accounts
- AWS S3 bucket control policy for cross-account access
- S3 Cross Account Access With Role
- S3 cross account access involving 3 accounts
- AWS s3 cross-account policy to ensure that all accounts can read