S3 and Cross Account Access

S3 buckets provide a great way to share data in AWS.

While S3 buckets can be made public, at times the use-case warrants the accessibility to be more restrictive. If the bucket access policy is set to public, anyone from anywhere can read/write [based on the permissions] files inside the bucket.

Use Case

At times, one wants to keep the S3 bucket private. However, provide read access to an external account.

In such a scenario, one is tempted to update the permissions via the AWS Console.

S3 bucket -> Permissions -> Access Control List

First step would be to navigate to the Access Control List

Access other AWS accounts

Subsequent step would be to enter canonical ID of the account requesting access to that particular resource [S3 bucket in this case].

However, Access Control List is restrictive. It only provides permission to list object and write object. At the first glance this might seem exhaustive. But it isn’t.


Consider a case where the external AWS account needs to copy the file from the S3 bucket. With just the permissions in the Access Control List, one can’t do that.


Update the S3 Bucket Access Policy.

- Resource varies based on Action.

While ListBucket action points to the ARN of the bucket, GetObject action has a different Resource value [bucket ARN/*]

For further details
Refer: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

To understand when to use ACL: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-alternatives-guidelines.html#when-to-use-acl




Music, Sports and Data. Engineer @ Facebook | Apache committer @ Apache MXNet | Ex- Amazon | GaTech

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why are you still writing APIs? (Or No More Monkey Code 🙊)

Creating a Token On The Polygon Blockchain

WordPress and MySQL Deployment on AWS with Custom VPC, Subnet, NAT Gateway and Security Groups…

Azure Virtual Machine Scale Set (VMSS) Part1 — Architecture and Deployment

How to Add Google Cloud Platform VM Instance Into Laravel Forge

Fortran and Docker: How to Combine Legacy Code with Cutting-Edge Components

The free Gmail SMTP server

PySpark — A year long journey into it ! Beginners targeted.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chaitanya Prakash Bapat

Chaitanya Prakash Bapat

Music, Sports and Data. Engineer @ Facebook | Apache committer @ Apache MXNet | Ex- Amazon | GaTech

More from Medium

Automating Cisco IOS updates with Unimus — Part 2

Create EC2 State Change Event Monitoring With Eventbridge & Integrate With Slack Notification

What Is the CI/CD Pipeline?

Deploy Architecture in AWS with Terraform