Can I grant access to objects owned by another account in AWS S3 using bucket policies?

3
votes

I want to control access to an object, which is created by another AWS account. Can I do that by bucket policies? In other words, does bucket policies apply to objects that are owned by another account?

I do not have 2 AWS accounts so I can not test this case in action.

2
amazon-web-servicesamazon-s3
Creating multiple AWS accounts is very easy with AWS Organizations. - Matt Houser

2 Answers

2
votes

No.

The ability to grant access to objects can only be done from the Account that owns the bucket/object.

If you think about it, this makes sense -- you would not want me granting access to your objects. Only the account that owns the bucket/object can do this.

-1
votes

Yes you can by creating a policy. Please find a sample policy below,

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },
         "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::examplebucket"
         ]
      }
   ]
}

You can do it through AWS console, CLI or API. Please find CLI sample below,

aws s3 ls s3://examplebucket --profile AccountBadmin
aws s3api get-bucket-location --bucket examplebucket --profile AccountBadmin

Please read documentation here for more details