Allow cross account access from an Amazon EC2 Instance to an Amazon S3 bucket

Question

I have two accounts let's sat A and B, and I have an S3 bucket in Account B and I want EC2 in my Account  A to access the bucket in Account B. I want to achieve this using IAM roles.

Below is the Role in Account B:

AWSTemplateFormatVersion : '2010-09-09'

 Description: 'Cross account role for S3'

 Parameters:

   AccountId:

   Type: String

   Description: Account ID of admin account (containing user to allow)

 Resources:

 CrossAccountRole:

Type: AWS::IAM::Role

Properties:

  AssumeRolePolicyDocument:

    Statement:

      - Effect: Allow

        Action: sts:AssumeRole

        Principal:

          AWS:

            - !Sub arn:aws:iam::${AccountId}:root

  Path: /

  Policies:

    - PolicyName: my-s3-delegate

      PolicyDocument:

        Statement:

          - Effect: Allow

            Action:

              - s3:ListBucket

              - s3:GetObject

            Resource: "*"

  RootInstanceProfile: 

Type: "AWS::IAM::InstanceProfile"

Properties: 

  Path: "/"

  Roles: 

      - 

        Ref: "CrossAccountRole"

After this how can I attach this to my instance which is in Account A?

Answer 1

You can simply add a bucket policy in your account B that will allow access to IAM Role used by the instance:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Action": [

                "s3:GetObject",

                "s3:ListBucket"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::my-bucket",

                "arn:aws:s3:::my-bucket/*"

            ],

            "Principal": {

                "AWS": [

                    "arn:aws:iam::ACCOUNT-A:role/my-ec2-role"

                ]

            }

        }

    ]

}

 Also, make sure that IAM Role has permission to use S3 to access the bucket:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "s3:GetObject",

                "s3:ListBucket"

            ],

            "Resource": [

                "arn:aws:s3:::bucket-b",

                "arn:aws:s3:::bucket-b/*"

            ]

        }

    ]

}

Want to become AWS Expert? Come & join AWS Certification.