Please enable JavaScript.
Coggle requires JavaScript to display documents.
S3 - Cross Account Access, Master Account, Master Account, Give access to…
S3 - Cross Account Access
ACLs
Bucket1 in Prod
Master Account
IAM user Bob1 logs into Master account
Accesses S3 Bucket within the session
IAMADMIN signs into Master account
Role switches to PROD
IAMADMIN accesses Bucket1
Can he see the object uploaded by Bob1?
Can he access the object?
No
Yes
Can Bob from Master Upload Object?
Yes
Who owns the object?
Master account
who owns the bucket?
Prod Account
Can Bob access the object?
Yes
Bucket Policy
Bucket2 in Prod
Apply Bucket policy and give access to user Bob1 from master account to
only
put the object
Prod Account
3 Buckets in Prod
Bucket1, Bucket2, Bucket3
S3- Assume Role
Bucket3 in Prod
Create Role and apply S3 permissions to it to permit access from Master Account
IAM Users from Master account can assume the role to upload objects to S3
Who owns the bucket
Who owns the object
Prod Account
Prod Account
Master Account
Master Account
IAM User Bob1 signs into Master account
Accesses Bucket2 URL within the session
Can Bob1 user from Master1 Upload Object?
Yes
Has upload permissions
Can Bob1 user from Master1 list Object?
No
No list permissions
IAMADMIN signs into Master account
Role Switches to PROD account
Accesses Bucket2
Can he see the object uploaded by Bob1?
Can he access the object?
No
why? because Master account owns the object.
Yes
Master Account
Bob logs into Master account
Switches to Role inside Prod Account
Uploads object into Bucket3
Can he upload object?
Can he access object?
Yes
Yes
Give access to master Account to put obects
Apply ACL to bucket1 and give access to Master account