Enable cross account access to all organization

1
votes

I'm using AWS console, and I have a scenario where I want to grant access to an account outside of my organization to read S3 objects in all members accounts in my organization.

I was able to enable cross account between my organization's master account and the third party account, but the role applies only to the master account, and when trying to read data from a member account S3 bucket I get access denied.

How can I create a role that will be applied on all my organization?

1
amazon-web-servicesamazon-iamaws-organizations
stackoverflow.com/help/on-topicRob

1 Answers

0
votes

This is not possible.

All AWS permissions apply only to one Account. It is not possible to grant multi-account access.

Some other options:

  • Create an IAM Role in each account and allow the external account to assume the roles, which will grant them permission within the target account, or
  • Add Bucket Policies to each of the target Amazon S3 buckets that grant access to the external account