S3 bucket access from the same and another AWS account

13 thoughts on “S3 bucket access from the same and another AWS account

      1. FYI using STS to assume a role to access an S3 bucket in another account has now been included in this article. Thanks again for the suggestion.

  1. Nice precise explanation…It would be be great if you can create AWS tutorials or cover other topics as well. Thanks.

  2. Thank you for sharing your knowledge.
    Really clear explanation, now I know that when setting up a cross account access for a user, a bucket policy is not enough ;).

    1. You may also add the access to a bucket using a S3 Access Point.
      Delegating to the access point the bucket permission is also interesting.

      1. Hi,

        Yes, it have been implemented by our Cloud provider to provide me a write access to a
        bucket that reside in a prod account. The bucket was also accessed by a RDS SQL Server instance to perform native restore operations (not via an access point this time).

        From my point of view, using a role (switch role) is the most simple solution to not care about the file ownership but there is no magic answer as always it depend on the use case 🙂

  3. Hi again,
    I’m dig diving the topic.

    Regarding the use of --acl bucket-owner-full-control:
    It’s interesting to note that using this option doesn’t tranfer the objet ownership to the AWS Account that own the Bucket, it only add additional ACLs for the Account that own the Bucket.
    You can configure S3 Bucket Ownership at the Bucket level (S3 > Your Bucket > Permissions > Edit Bucket Ownership > Define ‘Bucket owner preferred’.
    By changing this option, the object Ownership is transferred to the AWS Account where reside the Bucket BUT users from others AWS Account are still able to put objects without specifying --acl bucket-owner-full-control.
    You can also enforce them to do it by defining this additionnal statement in the resource based policy configured on your bucket:

    "Condition": {
        "StringEquals": {
            "s3:x-amz-acl": "bucket-owner-full-control"
        }
    }
    

    You can refer to the AWS documentation for more details. https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top

Get the newsletter

Found this article helpful? Subscribe for monthly updates.

✅ All of my latest articles for the month
✅ Access to video tutorials
✅ Exclusive tips not found on my website