S3 cross account Data transfer

0
votes

Looking into sharing data from our S3 bucket to our external partner. Going to setup a AWS Role in our VPC and share that with our external partner. Their access from their system would assume the AWS role created in our account and access the bucket. The data in our S3 bucket is encrypted @rest...

Say if the external vendor after assumption of the role...copies the data from our S3 bucket to their staging environment...how to ensure that the data in Transit will also be encrypted?

Our S3 data is using the defaule SSE-S3 AES256 encryption.

1
amazon-web-servicesencryptionamazon-s3

1 Answers

1
votes

You should do a couple of things here:

  1. use cross-account roles to allow them to get temporary credentials
  2. use an S3 bucket policy that blocks access over insecure channels using aws:SecureTransport (see below)

Note: this will not stop them doing a couple of things that you probably want to avoid:

  1. retrieving your data from outside the AWS region, leading to egress charges for you
  2. copying the data elsewhere in an insecure way, after they download it

Example S3 bucket policy:

{
    "Version": "2012-10-17",
    "Id": "id1234",
    "Statement": [
        {
            "Sid": "sid1234",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}