Managing access to your AWS resources across multiple accounts can be crucial to your cloud strategy. One common requirement is allowing cross-account access to an S3 bucket. This guide will walk you through setting up cross-account access using IAM roles and policies.

Step 1: Create an IAM Role in the Account That Owns the S3 Bucket

  1. Log in to the AWS Management Console in the account that owns the S3 bucket.
  2. Navigate to the IAM console.
  3. In the navigation pane, click Roles, then Create role.
  4. Select Another AWS account.
  5. Enter the Account ID of the account that you want to grant access to.
  6. Click Next: Permissions.

Step 2: Attach a Policy to the IAM Role

  1. On the Attach permissions policies page, choose Create policy.

Choose the JSON tab and enter the following policy:

{

    “Version”: “2012-10-17”,

    “Statement”: [

        {

            “Effect”: “Allow”,

            “Action”: “s3:*”,

            “Resource”: [

                “arn:aws:s3:::your-bucket-name”,

                “arn:aws:s3:::your-bucket-name/*”

            ]

        }

    ]

}

  1. Replace your-bucket-name with the name of your S3 bucket.
  2. Click Review policy, give it a name, and choose Create policy.
  3. Attach the newly created policy to the role by selecting it from the list.
  4. Click Next: Tags, then Next: Review.
  5. Provide a role name and description, then click Create role.

Step 3: Update the Bucket Policy in the S3 Bucket

  1. Navigate to the S3 console in the account that owns the bucket.
  2. Select your bucket.
  3. Choose the Permissions tab and then Bucket Policy.

Add the following policy, replacing your-bucket-name with your bucket name and account-id with the AWS account ID of the external account:

{

    “Version”: “2012-10-17”,

    “Statement”: [

        {

            “Effect”: “Allow”,

            “Principal”: {

                “AWS”: “arn:aws:iam::account-id:role/role-name”

            },

            “Action”: “s3:*”,

            “Resource”: [

                “arn:aws:s3:::your-bucket-name”,

                “arn:aws:s3:::your-bucket-name/*”

            ]

        }

    ]

}

  1. Save the changes.

Step 4: Assume the IAM Role from the External Account

  1. Log in to the AWS Management Console in the external account.
  2. Navigate to the IAM console.
  3. In the navigation pane, choose Roles, then Create role.
  4. Select Another AWS account and enter the account ID of the bucket-owning account.
  5. Click Next: Permissions and attach the necessary policies to the role.

Assume the role by using the AWS CLI or SDKs. Here is an example using the AWS CLI:

aws sts assume-role \

  –role-arn arn:aws:iam::account-id:role/role-name \

  –role-session-name session-name

Conclusion

Following these steps, you can securely allow cross-account access to your S3 bucket using IAM roles and policies. This setup ensures only authorized accounts can access your resources, enhancing your cloud environment’s security and manageability.