I have an AWS Identity and Access Management (IAM) entity and an Amazon Simple Storage Service (Amazon S3) bucket in different AWS accounts. I want to grant the IAM entity cross-account access to the bucket through an Amazon S3 access point. The access point is restricted to an Amazon Virtual Private Cloud (Amazon VPC).
Short description
You can grant an IAM role or user in one AWS account access to an Amazon S3 bucket in another AWS account through an S3 access point that's restricted to an Amazon VPC.
Suppose the IAM entity is in Account A and the S3 bucket is in Account B. To grant the IAM entity access to the bucket through an S3 access point that's restricted to an Amazon VPC, complete the following steps:
- Create and attach an Amazon S3 access point to the bucket in Account B.
- Create an Amazon S3 VPC gateway endpoint in Account A.
- Attach policies to the access point, bucket, and IAM entity.
Note: The IAM identity in Account A must be in the same AWS Region as the S3 bucket in Account B.
Resolution
Create and attach an Amazon S3 access point to the bucket in Account B
To create and attach an Amazon S3 access point to the bucket in Account B, complete the following steps:
- Open the Amazon S3 console.
- In the navigation pane, choose Access Points.
- Choose Create access point.
- For Access point name, enter the name for the access point. For more information on how to name access points, see Rules for naming Amazon S3 access points.
- For Bucket name, choose Choose a bucket in this account, and then enter the bucket name that you want to attach the access point to.
- For Network origin, choose Virtual private cloud (VPC).
- For VPC ID, enter the VPC ID from the other AWS account (Account A).
- Under Block Public Access settings for this Access Point, choose the block public access settings that you want to apply to the access point.
Note: After you create an access point, you can't change its block public access settings.
- Leave Access Point policy blank.
- Choose Create access point.
Create an Amazon S3 VPC gateway endpoint in Account A
To create an S3 VPC gateway endpoint in Account A that grants access to the Amazon S3 bucket in Account B, complete the following steps:
- Open the Amazon VPC console.
- In the navigation pane, choose Endpoints.
- Choose Create endpoint.
- For Service category, choose AWS services.
- For Services, add the filter Type = Gateway and select com.amazonaws.<region>.s3.
- For VPC, select the VPC that you used to create the access point in Account B.
- For Route tables, choose the route tables that you need your endpoint to use.
- For Policy, select Full access to allow all operations by all principals on all resources over the VPC endpoint. Or, select Custom and use your own policy that permits the required S3 actions.
For example, the following VPC endpoint policy permits all S3 actions to all buckets:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:*"
}
]
}
Note: Gateway endpoints don't allow access from other AWS Regions.
Attach policies to the access point, bucket, and IAM entity
To grant the IAM entity in Account A access the bucket in Account B through the access point, you must attach policies to the following:
- The access point
- The S3 bucket
- The IAM entity
Access point policy
To grant the IAM entity in Account A permission to the S3 access point in Account B, attach the following policy to your access point:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateControlToAccessPoint",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA-ID:user/user1",
"arn:aws:iam::AccountA-ID:role/role01"
]
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-acess-point/object/*",
"arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point"
]
}
]
}
Bucket policy
To grant the IAM entity in Account A permission to the bucket in Account B through the access point, attach the following policy to your bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA-ID:user/user1",
"arn:aws:iam::AccountA-ID:role/role01"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointArn": "arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point"
}
}
}
]
}
IAM policy
To grant the IAM entity in Account A permission to the bucket and access point in Account B, attach the following policy to your IAM entity:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountAccessToBucketAndAP",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point",
"arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point/object/*",
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
AWS CLI example commands to perform S3 operations on the bucket through the access point
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
To list the objects through the access point, run the ls command:
aws s3 ls arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point
To upload files through the access point, run the cp command:
aws s3 cp file.txt s3://arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point
You can also use the cp command to download files through the access point:
aws s3 cp s3://arn:aws:s3:us-east-2:AccountB-ID:accesspoint/my-access-point file.txt
Note: The request must originate from an Amazon Elastic Compute Cloud (Amazon EC2) instance that's in the same VPC and the same Region as the bucket.