- Newest
- Most votes
- Most comments
You need to make sure of following points:
-
Account A s3 bucket must be SSE-KMS CMK or SSE-S3 key encrypted, it should not have SSE-KMS(aws/s3) encryption enabled as otherwise Account B role won't be able to access Account A bucket key(aws/s3) and bucket access would fail. SSE-KMS(aws/s3) key is AWS managed key and is unique for each account, it doesn't allow you to add resource policy granting other account access. Hence account A bucket must be SSE-KMS CMK or SSE-S3 encrypted. I'd suggest you to have Account A S3 bucket SSE-KMS CMK encrypted and then follow the next steps.
-
Account B:
- Role GlueaccesstoS3 has access to Account A S3 bucket
- Role GlueaccesstoS3 has access to Account A s3 bucket KMS Key(if this bucket is SSE-KMS CMK) encrypted
-
Account A:
- S3 bucket policy should allow Account B role GlueaccesstoS3 required permission(GET/PUT etc) based on your exact requirement
- S3 bucket KMS Key policy should allow Account B role GlueaccesstoS3 required permission(Encrypt, Decrypt, GenerateDataKey)
Hope you find this information helpful.
Comment here if you have additional questions, happy to help.
Abhishek
Thanks @secondabhi_aws for your reply. As of now, my bucket in Account A is set "Server-side encryption with Amazon S3 managed keys (SSE-S3)" with Bucket Key as enabled. Please find the attached screen-shot for your reference.
Do i need to make any changes here ?
Just commented above if you want to keep SSE-S3 encryption for bucket.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 3 months ago
SSE-S3 works for cross account s3 access, with this you need to update the bucket policy to allow account B role for getobject, putobject etc based on your exact requirement. you can refer this re:Post Knowledge Center Article.
Hi Gurpreet, Were you able to pass the issue?