Scenario
Need to access S3 in a different AWS account from EC2 in your account.
Steps
- For the EC2 role on the first AWS account, add the following in-line policy. (For the KMS key, make sure it is the one created for the same one as the target s3 bucket)
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:List*", "s3:Put*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ], "Effect": "Allow" }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:ap-southeast-1:123456789:key/123ddwq-123d-123fd34-553f" ], "Effect": "Allow" }, { "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant", "kms:RetireGrant", "kms:ListRetirableGrants" ], "Resource": [ "arn:aws:kms:ap-southeast-1:987654321:key/3136e26c-3144-12fd-432r4-34rf4244f" ], "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } }, "Effect": "Allow" } ] } On the Second AWS Account, IAM → Encryption Keys → Customer managed key, add the EC2 Account to allow access to S3.
Update the S3 bucket policy. Example below.
{ "Sid": "Stmt1357935647218", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::1234556789:root" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucket-name" }, { "Sid": "Stmt1357935648634", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789:root" }, "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::bucket-name/*" } - Test and verify the access !
Top comments (0)