By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Granting S3 access in both root and child account via roles

0

We have a primary AWS account and a subsidiary account for a different application named 'prod'. To grant IAM users complete access to all S3 buckets in both accounts, I've established a role in the 'prod' account with these policies:

  • AmazonS3FullAccess (AWS Managed Policy)
  • An inline policy: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

Additionally, I configured the trust relationship for this role to allow users from the primary account to access the buckets in the 'prod' account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<root_account_id>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

In the primary account, I attached the following policy to the users via a Group:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::<prod_account_id>:role/ProdS3FullAccessRole"
            ]
        }
    ]
}

This group also includes policies for MFA and IAM password changes.

Despite these settings, when users try to download files from a bucket in the primary account using their Access Key and Secret Access Key, they receive an "Access Denied" error. I have verified that there are no 'Deny' statements or bucket-level policies obstructing access. I'm struggling to pinpoint the error in the setup.

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS IAM Identity CenterIAM Policies
Language
English
Abinesh
asked 24 days ago449 views
1 Answer
2
Accepted Answer

It sounds like you've set up everything correctly with the roles and policies to allow IAM users from your primary AWS account to access S3 buckets in both the primary and 'prod' subsidiary accounts. However, the "Access Denied" error could be due to several reasons. One possibility is the role assumption process: ensure that the IAM users are correctly assuming the 'ProdS3FullAccessRole' when trying to access S3. Also, check if the IAM role permissions are properly propagated; sometimes changes might take a few minutes. Additionally, make sure that the MFA and IAM password policies are not interfering with the role assumption. If these checks still don't resolve the issue, you might want to double-check that the S3 bucket policies or any Service Control Policies (SCPs) applied at the organizational level aren't inadvertently restricting access.

profile picture
Varunprakash Shanmugam
answered 24 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 24 days ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content