Wondering how to resolve object cross account access denied in amazon s3 bucket? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how our Support Techs perform this task.

How to resolve object cross account access denied in amazon s3 bucket?

To grant access to an AWS KMS-encrypted bucket in Account A to a user in Account B, you must have these permissions in place:

• Firstly, the bucket policy in Account A must grant access to Account B.
• The AWS KMS key policy in Account A must grant access to the user in Account B.
• The AWS Identity and Access Management (IAM) policy in Account B must grant the user access to both the bucket and key in Account A.

Today, let us see the steps followed by our Support Techs to perform it.

The bucket policy in Account A must grant access to the user in Account B

From Account A, review the bucket policy and confirm that there is a statement that allows access from the account ID of Account B.

For example, this bucket policy allows s3:GetObject access to the account ID 111122223333:

{
"Id": "ExamplePolicy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt1",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Principal": {
"AWS": [
"111122223333"
]
}
}
]
}

The AWS KMS key policy in Account A must grant access to the user in Account B

The AWS KMS key policy must grant the user in Account B permissions to the kms:Decrypt action.

For example, to grant key access to only one IAM user or role, the key policy statement looks like this:

{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/role_name"
]
},
"Action": [
"kms:Decrypt"
],
"Resource": "*"
}

From Account A, review the key policy using the AWS Management Console policy view.

In the key policy, look for “Sid”: “Allow use of the key”.

Then, confirm that the user in Account B is listed as a principal in that statement.

If you don’t see the statement “Sid”: “Allow use of the key”, switch to view the key policy using the console default view.

Then, add Account Bs account ID as an external account with access to the key.

The IAM user policy in Account B must grant the user access to both the bucket and key in Account A

From Account B, perform the following steps:

1.Firstly, open the IAM console.

2.Then, open the IAM user or role associated with the user in Account B.

3.Next, review the list of permissions policies applied to IAM user or role.

4.Verify that there are applied policies that grant access to both the bucket and key.

Note: If the IAM user or role in Account B already has administrator access, then you don’t need to grant access to the key.

The following example policy grants the IAM user in Account B access to objects and KMS key (to decrypt objects in a bucket):

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "ExampleStmt1",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
},
{
"Sid": "ExampleStmt2",
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:us-west-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}

[Need help with the fix? We’d be happy to assist you]

Conclusion

In short, we saw how our Support Techs resolve object cross account access denied in amazon s3 bucket.