Give S3 Full access cross account

Question

I have two amazon accounts Account-A and Account-B. I want to give Account-B full control to all S3 related operations in Account-A for example Account-B can create/delete/list buckets belonging to Account-A.

Can you point me to how it's done? So far I was only able to find how to grant cross account access to a single S3 bucket but not to all S3 functionalities.

Answer 1

Start with the AWS doc walkthrough, then set the bucket policy as (my changes from the doc have // comments):

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },
         "Action": [
            "s3:*", // ALL S3 actions
         ],
         "Resource": [
            "*" // ALL resources with an 's3:' operation
         ]
      }
   ]
}

Answer 2

There are two ways to assign cross-account permissions for Amazon S3:

Using Bucket Policies

• Add a Bucket Policy to each desired bucket that grants permission to the other account
• Add permissions to the desired IAM Users and IAM Roles in Account-B that allow them to access the buckets in Account-A

Note that the permissions are required in both directions.

The downside to this method is that the Bucket Policy must be applied to every bucket that you want to make available. Also, this will not work for creating new buckets since there is no bucket policy to grant access.

Using an IAM Role

• Create an IAM Role in Account-A (Role-A) that has all desired S3 permissions, and a Trust Policies that trusts Account-B
• From Account-B, call AssumeRole() on Role-A
• Use the returned credentials to manage S3 resources in Account-A

This does not require any Bucket Policies, but has the requirement to call AssumeRole().

See also: Provide cross-account access to objects in S3 buckets