S3 Cross-Account Access

When you create an S3 bucket, your account owns that bucket. By default, no other account can access it — unless you grant them permissions. In this post, we walk through how to share an S3 bucket with another aws account. Our main tool will be the S3 Bucket Policy.

This post assumes the following already exist:
A. The S3 bucket in question (or a test bucket)
B. The account that you want to give access to.

Caution: Here we use “s3:*” as the allowed actions. (Because of the *, all s3 actions will be allowed.) We use this for simplicity sake, because your uses will vary and require different sets of permissions. Thus, we’re treating “s3:*” also as a placeholder. You should replace “s3:*” with the minimal list that will work for your needs, to follow security best practices.

Let’s begin!

How to Give Cross-Account S3 Access

You share an S3 bucket with another account by attaching a policy to the S3 bucket.

1. Open the AWS S3 console: https://console.aws.amazon.com/s3

2. Choose your bucket (e.g. yourbucketname)

3. Select the Permissions tab

4. Scroll to the Bucket Policy section and click “Edit”

5. If the Policy field is empty, paste this block of code:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "CrossAccountPolicy1",
			"Principal": {
				"AWS": ["arn:aws:iam::123412341234:root"]
			},
			"Effect": "Allow",
			"Action": ["s3:*"],
			"Resource": [
				"arn:aws:s3:::yourbucketname/*",
				"arn:aws:s3:::yourbucketname"
			]
		}
	]
}

If the Policy field is not empty, instead of pasting, insert the following part into the array under “Statement”:

If the `Policy` field is not empty, instead of pasting, insert the following part into the array under "Statement":
		{
			"Sid": "CrossAccountPolicy1",
			"Principal": {
				"AWS": ["arn:aws:iam::123412341234:root"]
			},
			"Effect": "Allow",
			"Action": ["s3:*"],
			"Resource": [
				"arn:aws:s3:::yourbucketname/*",
				"arn:aws:s3:::yourbucketname"
			]
		}

Notes:
a. Of course, you want to replace 123412341234 with the account ID of the account you’re giving access to.
b. You don’t have to use root; you can choose a certain user within the other account by replacing “arn:aws:iam::123412341234:root” with “arn:aws:iam::123412341234:user/theirusername” .
c. Similarly, you can include multiple statements that target multiple users, giving each different permissions.

6. (optional) Test that an administrator in the recipient account can acccess the bucket.
assumptions:
• They have the AWS command line tools installed.
• They have the profile credentials configured. ( To configure, they can open the command line and type aws configure )

On MacOS/Linux:
From the Terminal, type
aws s3 ls s3://yourbucketname --profile theirAdminUsername
If their default user is already an admin, theirAdminUsername can be replaced with default

On Windows:
From the PowerShell, type
get-s3object -BucketName yourbucketname -StoredCredentials theirAdminUsername

That’s it. Now the recipient account (with ID 123412341234 in our example) has access to your S3 bucket. If that account wants to allow or deny different permissions to multiple users, they can do that via IAM.

For more complex cross-account S3 access, please feel free to contact me.



Leave a Comment