Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Access S3 bucket from other account from EC2 instance without bucket policy

0

Hi Team,

Please let us know is there a way to access S3 bucket in Account B from EC2 instance in Account A without using bucket policy.

Regards, Rajesh B

Themen
SpeicherKalkulation
Tags
Amazon Simple Storage ServiceAmazon EC2
Sprache
English
Rajesh Khanna B
gefragt vor 10 Monaten346 Aufrufe
2 Antworten
3
Akzeptierte Antwort

Yes, you can do that by IAM policies and resource-based ACLs or If that s3 bucket is public then also bucket policy would not be required. When I say public, depending on your use case, whether it's granted public access for read or write or both.

Please refer IAM policies and resource-based ACLs at cross account s3 bucket access.

But if either of these two options is not appropriate/feasible for use case, then answer would be no, you'll have to add bucket policy in Account B to allow the Account A EC2 Instance profile role. Also note that, ACLs are discouraged over bucket policy but if your use case has a requirement not to use bucket policy at all, then ACL is an option.

Also, note that cross account s3 access is only possible with SSE-S3 or SSE-KMS CMK, if bucket in account B is encrypted using AWS managed key SSE-KMS(aws/s3) then cross account s3 bucket access is not possible. Reason being AWS managed key(aws/s3) is unique for each account and can't be used by other account to encrypt objects.

With SSE-KMS CMK encrypted bucket, you'll have to add Account A EC2 Instance profile role in Account B KMS key policy too.

Hope you find this information helpful.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERTE
secondabhi_aws
beantwortet vor 10 Monaten
profile pictureAWS
EXPERTE
iBehr
überprüft vor 9 Monaten
  • Gary Mclean EXPERTE
    vor 10 Monaten

    AES-256 is actually SSE-S3. aws/s3 comes into effect when using SSE-KMS where you can select aws/s3 which cant be used across accounts as you cant change the policy on this Key as its tide to the caller account.

0

Hi

What you can do is, from your EC2 instance, assume a IAM Role cross-account, then use the credentials from this role assumption to access the S3 bucket. You can check this article on how to setup cross account role assumption.

profile picture
EXPERTE
JimmyDqv
beantwortet vor 10 Monaten
  • Rajesh Khanna B
    vor 10 Monaten

    Hi JimmyDqv,

    i followed the assume role way. But it is throwing access denied error. When i added below in .aws/config then it worked when i tried aws s3 ls

    [profile s3access] role_arn = arn:aws:iam::123456789012:role/my_role

    credential_source = Ec2InstanceMetadata

    Please let me know if there is any alternative way without passing details in .aws/config for programmatic access.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt