1. Answers
  2. Implementing Cross-account Access For An S3 Bucket

Implementing Cross-Account Access for an S3 Bucket

Introduction

Implementing cross-account access for an S3 bucket involves configuring policies that allow resources from one AWS account to access the S3 bucket in another AWS account. This is useful for scenarios where you need to share data securely between different AWS accounts.

Step-by-Step Explanation

Step 1: Create the S3 Bucket

First, create an S3 bucket in the target AWS account where the data will be stored.

Step 2: Define the Bucket Policy

Next, define a bucket policy that grants access to the AWS account that needs to access the bucket. This policy should specify the permissions and the AWS account ID.

Step 3: Create IAM Roles

Create IAM roles in both the source and target AWS accounts. The role in the source account should have permissions to access the S3 bucket in the target account.

Step 4: Attach Policies to IAM Roles

Attach the necessary policies to the IAM roles to ensure they have the required permissions.

Step 5: Assume Role

Configure the source account to assume the role in the target account when accessing the S3 bucket.

Summary

Implementing cross-account access for an S3 bucket involves creating the bucket, defining bucket policies, creating IAM roles, attaching policies, and configuring role assumption. This setup ensures secure and controlled access between AWS accounts.

Full Code Example

import * as aws from "@pulumi/aws";

// Create an S3 bucket in the target AWS account
const targetBucket = new aws.s3.Bucket("targetBucket", {
    bucket: "my-cross-account-bucket",
});

// Define the bucket policy to grant access to the source AWS account
const bucketPolicy = new aws.s3.BucketPolicy("bucketPolicy", {
    bucket: targetBucket.bucket,
    policy: targetBucket.bucket.apply(bucketName => JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Principal: { AWS: "arn:aws:iam::SOURCE_ACCOUNT_ID:root" },
                Action: [
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                Resource: [
                    \`arn:aws:s3:::\${bucketName}/*\`
                ]
            }
        ]
    }))
});

// Create IAM role in the source AWS account
const sourceRole = new aws.iam.Role("sourceRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Principal: { AWS: "arn:aws:iam::TARGET_ACCOUNT_ID:root" },
                Action: "sts:AssumeRole"
            }
        ]
    })
});

// Attach policy to the source role to allow access to the target bucket
const sourceRolePolicy = new aws.iam.RolePolicy("sourceRolePolicy", {
    role: sourceRole.id,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Action: [
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                Resource: \`arn:aws:s3:::my-cross-account-bucket/*\`
            }
        ]
    })
});

// Export the bucket name
export const bucketName = targetBucket.bucket;

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up