Cross account access for AWS accounts using Direct Connect

Question

I have been working with AWS for a number of years, but I am not very strong with some of the advanced networking concepts.

So, we have multiple AWS accounts. None of them have public internet access, but we use Direct Connect for on-prem to AWS connection.

I have a S3 bucket in Account A. I created an IAM user in Account A along with a access/secret key and granted this IAM user s3:PutObject permission to the S3 bucket.

I write a simple Python script to list the objects in this bucket from on-prem, it works, as expected.

I then execute the same Python script on an EC2 instance running in Account B, I get "botocore.exceptions.ClientError: An error occured (AccessDenied) when calling the ListObjects operation: Access Denied".

Do I need to create VPC endpoint for S3 in Account B? Does cross account IAM role come into play here?

Answer 1

Your situation is:

• You have an Amazon S3 Bucket-A in Account-A
• You have an IAM User (User-A) in Account-A
• You have an Amazon EC2 instance running in Account-B
• From that EC2 instance, you wish to access Bucket-A
• It also appears that you have a means for the EC2 instance to access Amazon S3 endpoints to make API calls

Assuming that the instance is able to reach Amazon S3 (which appears to be true because the error message refers to permissions, which would have come from S3), there are two ways to authenticate for access to Bucket-A:

Option 1: Using the IAM User from Account-A

When making the call from the EC2 instance to Bucket-A, use the IAM credentials created in Bucket-A. It doesn't matter that the request is coming from an Amazon EC2 instance in Account-B. In fact, Amazon S3 doesn't even know that. An API call can come from anywhere on the Internet (including your home computer or mobile phone). What matters is the set of credentials provided when making the call.

If you are using the AWS Command-Line Interface (CLI) to make the call, then you can save the User-A credentials as a profile by using aws configure --profile user_a (or any name), then entering the credentials from the IAM User in Account-A. Then, access Amazon S3 with aws s3 ls --profile user_a. Using a profile like this allows you to switch between credentials.

Option 2: Using a Bucket Policy

Amazon S3 also has the ability to specify a Bucket Policy on a bucket, which can grant access to the bucket. So, if the EC2 instance is using credentials from Account-B, you can add a Bucket Policy that grants access from those Account-B credentials.

Let's say that the Amazon EC2 instance was launched with an IAM Role called role-b, then you could use a Bucket Policy like this:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account-B>:role/role-b"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-a/*"
        }
    ]
}

Disclaimer: All of the above assumes that you don't have any weird policies on your VPC Endpoints / Amazon S3 Access Points or however the VPCs are connecting with the Amazon S3 endpoints.