S3 bucket access from the same and another AWS account

22 thoughts on “S3 bucket access from the same and another AWS account

  1. Nice clear article describing the multiple S3 access approaches that AWS documentation sometimes doesn’t explain very well. To kick it up a notch, you might want to publish an update to this post describing how to provision similar cross-account access when the bucket is also encrypted with a KMS customer managed key.

  2. Thank you for this write-up. The AWS docs are a mess with regards to this topic and obfuscate more than educate. This helped me setup cross-account access for an external team and was really helpful when it cam to debugging put failures.

  3. Thank you for this clear article!
    How is alice in Account B able to access mountains1.jpg, which is owned by bob in Account A? Wouldn’t the default ACL prevent alice from reading it?

    1. Hi Yosef. The access is granted via the bucket policy which specifies a Principal of all users in the account in which Alice resides. The default ACL doesn’t prevent this access.

  4. This is the first article that was easy to follow, so many get bogged down in details or just have confusing examples or examples that don’t go deep enough. You covered all bases here sir… Bravo!
    I shall be sending my apprentices to this site as a good basis for some AWS IAM theory

  5. Hi again,
    I’m dig diving the topic.

    Regarding the use of --acl bucket-owner-full-control:
    It’s interesting to note that using this option doesn’t tranfer the objet ownership to the AWS Account that own the Bucket, it only add additional ACLs for the Account that own the Bucket.
    You can configure S3 Bucket Ownership at the Bucket level (S3 > Your Bucket > Permissions > Edit Bucket Ownership > Define ‘Bucket owner preferred’.
    By changing this option, the object Ownership is transferred to the AWS Account where reside the Bucket BUT users from others AWS Account are still able to put objects without specifying --acl bucket-owner-full-control.
    You can also enforce them to do it by defining this additionnal statement in the resource based policy configured on your bucket:

    "Condition": {
        "StringEquals": {
            "s3:x-amz-acl": "bucket-owner-full-control"
        }
    }
    

    You can refer to the AWS documentation for more details. https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

  6. Thank you for sharing your knowledge.
    Really clear explanation, now I know that when setting up a cross account access for a user, a bucket policy is not enough ;).

    1. You may also add the access to a bucket using a S3 Access Point.
      Delegating to the access point the bucket permission is also interesting.

      1. Hi,

        Yes, it have been implemented by our Cloud provider to provide me a write access to a
        bucket that reside in a prod account. The bucket was also accessed by a RDS SQL Server instance to perform native restore operations (not via an access point this time).

        From my point of view, using a role (switch role) is the most simple solution to not care about the file ownership but there is no magic answer as always it depend on the use case 🙂

  7. Nice precise explanation…It would be be great if you can create AWS tutorials or cover other topics as well. Thanks.

      1. FYI using STS to assume a role to access an S3 bucket in another account has now been included in this article. Thanks again for the suggestion.

Leave a Reply to Vitalie Cancel reply

Your email address will not be published. Required fields are marked *

Scroll to top