Open In App

How to Access S3 Bucket from Another AWS Account

Last Updated : 21 Jun, 2024
Comments
Improve
Suggest changes
Like Article
Like
Report

Amazon Simple Storage Service (S3) is one of the most widely used services provided by Amazon Web Services (AWS). It is a secure and scalable object-based storage solution. Most organizations have multiple AWS accounts that manage different environments, projects, or teams. As a result of this use case, S3 buckets could be managed across various AWS accounts simultaneously. This will help in improving data control in one centralized place and enhancing cooperative working among various teams or projects.

This article will help you access an S3 bucket from another AWS account. By the moment you finish this article, you will have known key terminologies and gain insight into how to go through an extended procedural configuration of setting up necessary permissions and roles. At the end of this guide, you will be in a place to confidently establish and implement cross-account access to the S3 buckets in such a way that the proper entities get the proper access. To do it right is even more critical, so you can always make accounts secure without turning them into unmanageable behemoths from an operational standpoint. This guide helps beginners to experienced AWS users handle cross-account intricacies with clear guidance and examples.

Primary Terminologies

S3 Bucket

  • A collection of many objects in an S3 bucket; there is no limit in Amazon documentation. The container in which all objects are stored; one object has many objects in one bucket, thus forming buckets

IAM (Identity and Access Management)

  • A web service securely controlling access and managing users, to the services within the AWS suite. You can manage users, groups, roles, and their relative access permissions to any AWS services. IAM ensures that only authorized and valid entries can access your entries.

IAM role

  • In IAM, a role is an AWS identity that has permission policies that, when attached, grant some operations to whoever assumes the role. Roles are meant to be taken by other entities, such as IAM users, applications, or AWS services. Benefits of IAM roles in cross-account access: A user can use one account to give another account temporary permissions with the help of IAM roles.

Policy

  • A policy is a JSON document that defines permissions. The policy describes the actions which may or may not be followed by the principal on the resources. A policy may be attached to an IAM user, group, or role. Policies include managed, in-line, and resource-based policies or bucket policies.

Trust Policy

  • A trust policy, in an IAM role, states explicitly which if any, entities can assume that IAM role. A significant feature of trust policies is that they inter-account allow using a role.

AssumeRole

  • AssumeRole is an AWS Security Token Service operation and an operation that replicates back a set of temporary security credentials. These credentials are for the IAM role and contain the permissions attached to the role. This is another permission in action that allows the operation of cross-account access for an entity in another account to assume a role in your account as a temporary grant of permissions.

Temporary Credentials

  • The temporary credentials consist of an access key ID, a secret access key, and a session token. These are the authorization details, resembling a result of authentication and an access bean gained from assuming an IAM role, which is sourced out of the AWS Security Token Service STS. Temporary, limited privilege access to the resources of AWS reduces the risk associated with long-term credentials.

Step-by-Step Process to Access S3 Bucket from Another AWS Account

Step 1: Create an IAM Role in the Target Account (Account B)

Here we are taking 2 AWS Accounts which is A and B Accounts.

  • Firstly Sign in to the AWS Management Console of Account B.
  • Navigate to IAM.
iam Dashboard

Create a new role:

  • Click on "Roles" in the left sidebar.
  • Click the "Create role" button.
Create role

Select Trusted Entity:

In Trusted Entity Choose AWS Account

  • In AWS Account, Choose "Another AWS account".
  • Enter the Account ID of the source account (Account A).
AWS Account

Attach Policies:

  • Select the "AmazonS3FullAccess" policy or create a custom policy with specific permissions attach policies to role.
Add permissions

Review and Create:

  • Review the configuration and click "Create role".
  • Here we see that Role was successfully created.
create role

Step 2: Set Up Bucket Policy in the Target Account (Account B)

  • Now Navigate to the S3 service in Account B.
  • Select the S3 bucket you want to share.
Buckets
  • Go to the "Permissions" tab and click on "Bucket Policy".
bucket policy
  • Add a bucket policy to allow access from Account A:

Here is the bucket policy to be add

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountA-ID:root" #here we need to add account id of the AWS Account
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ]
        }
    ]
}
edit bucket policy
  • Now Save the bucket policy.

Step 3: Assume the IAM Role from the Source Account (Account A)

  • Sign in to the AWS Management Console of Account A.
  • Navigate to IAM.
IAM Account

Create a new policy to assume the role in Account B:

  • Click on "Policies" in the left sidebar.
  • Click the "Create policy" button.
create policy
  • Add the following JSON policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::AccountB-ID:role/Role-Name"
        }
    ]
}
Specify Permissions

Attach the Policy to IAM Users or Roles in Account A:

  • Now Assign this policy to the users or roles that need to access the S3 bucket in Account B
S3 bucket

Step 4: Access the S3 Bucket from Account A

Use AWS CLI to assume the role and access the bucket:

aws sts assume-role --role-arn "arn:aws:iam::AccountB-ID:role/Role-Name" --role-session-name AWSCLI-Session
Access the S3 Bucket from Account A

Access the S3 bucket:

aws s3 ls s3://your-bucket-name
Access the S3 bucket:

Here we see that From Account B we can Accessed Account A S3 Bucket

Conclusion

It is very important that an S3 bucket can be accessed from another AWS account to share resources across teams or projects within an organization. With an adequately set up IAM role, a trust policy, and a bucket policy, you will have secure cross-account access and maximum efficiency of access to S3 resources. It does so by creating an IAM role in the target account, Account B, configuring the bucket policy to grant necessary permissions, and then assuming that role from the source account, Account A, towards temporary security credentials. Very fine-grained access towards the S3 Bucket and actions is allowed.

The guide has enabled you to have cross-account access securely and in the best practices regarding security in AWS. These steps would allow you to enjoy better collaboration and management of the resources without having to close your eyes on security. Remember always to allow what is necessary, that is, the concept of least privilege. In other words, this cross-account access of an S3 bucket is handy when implemented properly: for enhancing operational efficiency and data management, along with having in place critical security controls.


Next Article
Software Developer (SDE) Interview/Placement Preparation Guide
author
sadasivareddy
Improve
Article Tags :

Similar Reads

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox
  翻译: