How To Enable Cross Account Access In AWS S3?

To access an Amazon S3 (Simple Storage Service) bucket from another AWS account, we need to set up cross account access permissions in S3. This typically involves configuring bucket policies.

If you already know the bucket policy in S3 then it will be easier for you. If you don’t know about it then don’t worry you can still enable access for another AWS account. 🙂

In this post, I will explain how we can access Amazon S3 Bucket from another AWS Account.

Prerequisites

1. Either you must have access right to both the account
   • Or 12 digits account number of account B
   • And the ARN of the Role/User from B who is going to access the bucket of account A.
2. Access privilege of account A where you are going to modify the bucket policy.

Our Use Case

Let’s say, you have an account A and B in AWS.

And, you also have a bucket my-bucket-a in your account A and want to access it bucket from account B.

Solution to enable cross account access in AWS S3

I am dividing this solution steps into two parts. The first part is to get the ARN of the Role/User of account B which is going to access the bucket from account A. And, another is to apply bucket policy to my-bucket-a in account A. So that it will be easier to access S3 bucket from another AWS account.

First Part: Get User or Role ARN

1. Login to your AWS account B.
2. Go to IAM service.
3. If you are going to give access to a particular user then go to the Access Management category and click Users.
   • You may see the list of users. Select one of them to whom you want to give access.
   • Copy the User ARN. It looks like: arn:aws:iam::your-12-digit-account-number:user/you-username-from-account-b
4. If you are going to give access to a Role then go to the Access Management category and click Roles.
   • You may see the list of roles. Select one of them to whom you want to give access.
   • Copy the Role ARN. It looks like: arn:aws:iam::your-12-digit-account-number:role/service-role/your-rolename-from-account-b

Second Part: Apply Bucket Policy

1. Login to your AWS account A.
2. Go to S3 service.
3. Select the bucket you want to update the policy. Ex: my-bucket -a
4. Go to the Permissions tab
5. Scroll down you may find the Bucket Policy and click on the Edit button.
6. Now, edit the correct value to the following JSON content and paste it into policy and click on Save Changes button.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::your-12-digit-account-number:role/your-rolename-from-account-b"
            },
            "Action": [
                "s3:GetObject".
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-bucket-a/*"
        }
    ]
}

With this policy, the role from account B can upload and get the object from the bucket my-bucket-a.

To understand more on bucket policy, you can take a reference from the official document of the AWS.

Conclusion

In this post, we are able to access the bucket from another AWS account.

We also learn to update the policy in S3 bucket.