Look for a policy for S3 bucket that will allow all IAM roles and users from different account, to be able to download files from the bucket that is located in my AWS account.
Thanks for help
You can apply object level permissions to another account via a bucket policy.
By using the principal of the root of the account, every IAM entity in that account is able to interact with the bucket using the permissions in your bucket policy.
An example bucket policy using the root of the account is below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
More information is available in the Bucket owner granting cross-account bucket permissions documentation
Fo that, you would need to provide a cross-account access to the objects in your buckets by giving the IAM role or user in the second Account permission to download (GET Object) objects from the needed bucket.
The following AWS post
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ provides details on how to define the IAM policy.
In your case, you just need the Get object permission.
Related
I've looked at some other solutions for similar questions, but here's the twist: I was given this and asked to grant s3 bucket for another account to put/get objects:
arn:aws:iam::[account number]:role/CustomerManaged/XMO-Custom-SPEG-DPM-Share-Role
I know the basics of how to change bucket policies in the JSON format. Do I need to create the JSON from this in the s3 bucket policy, or do I add this in IAM? I have seven tabs open for AWS doc pages but am getting lost in the weeds of what to do here.
In account B, which needs to access account A's bucket, set up an IAM role that includes the relevant permissions (e.g. s3:GetObject on s3://bucketa/prefix/*). For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucketa/prefix/*"
}
]
}
In account A, which owns the bucket, add an S3 bucket policy to bucketa that gives the relevant permissions to the account B role. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountb:role/rolename"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucketa/prefix/*"
]
}
]
}
Finally, in account B, given the relevant IAM users or roles permission to assume the account B role so that they can get cross-account access to the bucket.
Alternatively, rather then delegate permissions directly to an IAM role in account B, account A can set a principal of "AWS": "arn:aws:iam::accountb:root" in the bucket policy and this will allow account B administrators to delegate permission as they choose (see example).
For more, see How can I provide cross-account access to objects that are in Amazon S3 buckets?
It appears that your requirement is:
An IAM Role (Role-A) in Account-A wants to access...
An Amazon S3 Bucket (Bucket-B) in Account-B
You are an Administrator in Account-B
The simplest way to permit such access is to add a Bucket Policy to Bucket-B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:role/CustomerManaged/XMO-Custom-SPEG-DPM-Share-Role"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
This policy says:
Allow the given IAM Role
Permission to put/get objects
In this bucket
There is no need to assume roles. Simply adding this bucket policy on Bucket-B allows Role-A to access the bucket.
Oh, and Role-A also needs to be granted sufficient S3 permissions to access the bucket, which might be via generic permissions (eg s3:GetObject on a Principal of *), or it could be specific to this bucket. Basically, Account-A has to grant it permission (via IAM), AND Account-B has to grant it permission (via the bucket policy).
I'm trying to grant access to S3 bucket to other account using S3 UI:
Permissions -> Access Control List -> Access for other AWS accounts
I know canonical id for account I want to grant permissions. It is 161 char code. When I'm trying to add It I'm getting next error:
I'm pretty sure I'm using the correct ID because it says says Canonical user ID (for Amazon S3)
What is wrong?
If you wish to grant bucket access to another AWS Account, I would recommend using a Bucket Policy. This allows the user(s) in the other account to use their normal credentials to access the bucket.
Here is a sample bucket policy that grants access to a specific user in another AWS account:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT-ID:user/foo"
]
}
}
]
}
You are probably using the wrong id. Please have a look at this document to find out how to retrieve the one that you need here: AWS account identifiers - AWS General Reference
Having that said, in most cases it would be better to not use access control list but access S3 via cross-account roles instead. To learn more, please have a look at: Provide Cross-Account Access to Objects In S3 Buckets
I have an Amazon AWS account and I'm using Amazon S3.
I'd like to give access to specific people to a Amazon S3 bucket.
Here's what I'd like to do :
Amazon AWS: Access limited to my account
Amazon S3: Access limited to my account
Bucket "website-photos": Access authorized to 3 people that will be able to read and write in the bucket through AWS management console.
Files in the bucket "website-photos": Public can read them.
How can I setup this config?
Just create an IAM policy and attach to the users you want to give access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
See: Amazon S3: Allows Read and Write Access to Objects in an S3 Bucket - AWS Identity and Access Management
The general approach is:
If you want something to be "public" (accessible by anyone), then use a Bucket Policy
If you want to only assign permissions to a specific IAM User, then attach a policy to the IAM User
If you want to only assign permissions to a group of IAM Users, then create an IAM Group, attach a policy and assign the group to the desired IAM Users
My company has an organization set up in AWS (CompanyA as example). Each team has an account joined to this organization (HR, ProductA, ProductB, ect..). We in ProductA are attempting to grant read-only access to an S3 bucket which serves as a yum repository we own to anyone under this organization from their ec2 instance without auth (yum commands works out of box)
Some items we evaluated:
https://github.com/rmela/yum-s3-plugin -> This would go along with user principal access, users would need to add their keys to pull from the repo
http://parthicloud.com/how-to-access-s3-bucket-from-application-on-amazon-ec2-without-access-credentials/ -> Great tutorial for inside your own account, ec2 instances need to be brought up with a IAM policy to allow access to bucket.
Add a condition to the bucket policy listing your AWS Organization, and allow all principals access. See AWS Global Condition Context Keys, search for aws:PrincipalOrgID. "When you add and remove accounts, policies that include aws:PrincipalOrgID automatically include the correct accounts and don't require manual updating."
The Action and Resource sections in the example below should be the same as for your current policy that lists all the AWS accounts in your organization.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowOrganizationToReadYumBucket",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-yum-bucket",
"arn:aws:s3:::your-yum-bucket/*"
],
"Condition": {
"StringEquals": {"aws:PrincipalOrgID":["o-xxxxxxxxxxx"]}
}
}
}
It is not possible for an Amazon S3 bucket policy to refer to a group of accounts in an AWS Organization.
Your bucket policy would need to list permissions for each account individually. For example:
"Principal":{"AWS":"arn:aws:iam::ACCOUNT-NUMBER:user/*"}
For security reasons, we have a pre-prod and a prod AWS account. We're now beginning to use IAM Roles for S3 access to js/css files through django-storage / boto.
While this is working correctly on a per account basis, now a need has risen where the QA instance needs to access one S3 bucket on a the prod account.
Is there a way to have one IAM role that can grant access to the pre-prod And prod S3 buckets? As I'm writing it seems impossible, but it never hearts to ask!
Here's the AWS doc on this: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
Essentially, you have to delegate permissions to one account from the other account using the Principal block of your Bucket's IAM policy, and then set up your IAM user in the second account as normal.
Example bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-ID>:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>"
]
}
]
}
This works well for read-only access, but there can be issues with write access. Primarily, the account writing the object will still be the owner of that object. When dealing with Write permissions, you'll usually want to make sure the account owning the bucket still has the ability to access objects written by the other account, which requires the object to be written with a particular header: x-amz-grant-full-control
You can set up your bucket policy so that the bucket will not accept cross-account objects that do not supply this header. There's an example of that at the bottom of this page: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html (under "Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control")
This makes use of a conditional Deny clause in the bucket policy, like so:
{
"Sid":"112",
"Effect":"Deny",
"Principal":{"AWS":"1111111111" },
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotEquals": {"s3:x-amz-grant-full-control":["emailAddress=xyz#amazon.com"]}
}
}
I generally avoid cross-account object writes, myself...they are quite fiddly to set up.