IAM Role policy for cross account access to S3 bucket in a specific AWS account

2
votes

Allow access from IAM Role in AccountA to given S3 buckets only if they are present in AWS AccountB (using Account Number).

Here is my Role policy in AccountA which currently has following permission. How can I update it to only access S3 bucket in AccountB.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Put*"
            ],
            "Resource": [
                "arn:aws:s3:::kul-my-bucket/my-dir/*"
            ]
        },
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::kul-my-bucket"
            ]
        }
    ]
}

Wondering if it is possible or should I try it differently?

Is anything similar to this possible for my case by providing the condition in the policy:

"Condition": {
                "StringLike": {
                    "aws:accountId": [
                        "111111111111"
                    ]
                }
            }

I need this because on the S3 bucket in AccountB it allows root access to AccountA. Hence I want to put restriction on Role policy in AccountA.

1
amazon-web-servicesamazon-s3amazon-iam
Do this via a cross-account IAM role. Account B creates a role, assumable from account A or specifically assumable by the IAM user in account A, that permits access to the relevant account B buckets. An admin in account A modifies the account A IAM user's permissions to permit the IAM user to assume that specific IAM role in account B. - jarmod
Thanks for your suggestion @jarmod. This will need an additional role in Account B, is it possible to avoid it and do it just with role policy in Account A? - Kuldeep Jain
If you modify the trust relationship on the target account A role to include the ARN of the account B IAM user, then you should not need an additional role in account B. - jarmod
Thanks, I don't follow it completely right now. So, might reach out if I have any doubt trying it out. - Kuldeep Jain

1 Answers

2
votes

I do not think it is possible to grant/deny access to an Amazon S3 bucket based on an AWS Account number. This is because Amazon S3 ARNs exclude the Account ID and instead use the unique bucket name.

You would need to grant Allow access specifically to each bucket by name.

I have seen this situation before where the requirement was to grant S3 permission to access buckets only in other accounts, but not the account owning the IAM User themselves. We could not determine a way to do this without also granting permission to access the "same account" S3 buckets.