Permission issues to access s3 bucket shared by another account

0

Hi I followed the section "IAM policies and resource-based bucket policies", had accountB create policy to access the s3 bucket shared by accountA (used json from same section of url) with properly providing arn of accountB on accountA as well as the bucket name as resource. My public access policy on accountA blocks only ACL and allows all others. Now when I try from accountB to access bucket from accountA that is shared, i get permission denied error. I used the iam analyzer also in vain. Now I dont know where to go. Appreciate any help here please. Here is the error

I scoured through the web and there are multiple things i came across which i tried but in vain

Insufficient permissions to list objects After you or your AWS administrator has updated your permissions to allow the s3:ListBucket action, refresh the page. Learn more about Identity and access management in Amazon S3

1 Answer
0

You should keep all the Block Public Access (BPA) protections enabled. When specified AWS account IDs or another specific subset of identities is granted access, it isn't "public" in the context of AWS access policies. Public access refers to access that is granted to everyone or nearly everyone in the world.

Could you share the policies you've configured? You should redact your exact bucket name and replace account IDs with all zeroes or all ones, for example, but include the non-sensitive parts of the policies.

In typical situations, if your S3 bucket is using the default encryption option of SSE-S3 and the object ownership setting is set to "object owner enforced", you'll need to grant the following permissions in both the policies attached to the IAM role/user in account A and the bucket policy in account B:

  • to the bucket ARN (such as arn:aws:s3:::my-bucket-name)
    • s3:GetBucketLocation
    • s3:ListBucket
  • to object ARNs (such as arn:aws:s3:::my-bucket-name/*, with the /* at the end)
    • s3:GetObject for read access
    • s3:PutObject for write access
    • s3:DeleteObject to delete objects
    • sometimes additionally
      • s3:GetObjectVersion for reading specific object versions
      • s3:PutObjectAcl for uploading objects and specifying old-fashioned ACL-based permissions for the object
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions