Cloud Vedas: S3 CROSS ACCOUNT ACCESS WITH FOLDER RESTRICTION

This document is created to show you how to grant cross account access to a user and restrict it to a folder in S3 bucket. It can be a very useful cost saving measure where you don’t have to duplicate the data in QA bucket. While keeping the data safe as you are granting only read access to data.

Problem:- We want to allow the QA user (qauser) to get files which are in Production bucket (prodbucket) but it should only be able to access folder1 which is in prodbucket. Also both Production user (produser) and qauser should be able to access the buckets which are in their own accounts.
Hirearchy of prod bucket is prodbucket/folder1 .

Solution:-

Prod Bucket policy is created in prod AWS account with account number 111111111111 .

Below you can see what each block of the policy is doing.
1) In block 1 we are allowing all actions to the produser on the prodbucket. prod user is in Prod account 111111111111.
2) In block 2 we are allowing QA user which is in another AWS account 222222222222 to access S3 prod bucket. But we are granting it only get and list access to the bucket.

{
 “Version”: “2012-10-17”,
 “Id”: “PolicyCrossAccountAccess”,
 “Statement”: [
 {
 “Sid”: “StmtForprodAccount”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::111111111111:user/produser”
 },
 “Action”: “s3:*”,
 “Resource”: [
 “arn:aws:s3:::prodbucket”,
 “arn:aws:s3:::prodbucket/*”
 ]
 },
 {
 “Sid”: “StmtForQAAccount”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::222222222222:user/qauser”
 },
 “Action”: [
 “s3:GetObject”,
 “s3:ListBucket”
 ],
 “Resource”: [
 “arn:aws:s3:::prodbucket”,
 “arn:aws:s3:::prodbucket/*”
 ]
 }
 ]
 }

QA User policy is applied to QA user in AWS account number 222222222222 .
1) In block 1 we are allowing QA user to access a qabucket in it’s own account.
2) In block 2 we are restricting the qauser to folder1 of the cross account prodbucket and user can list files in folder1 of prod bucket.
3) In block 3 we are allowing the qauser to only get the files from prodbucket/folder1/ .

{
 “Version”: “2012-10-17”,
 “Statement”: [
 {
 “Effect”: “Allow”,
 “Action”: “s3:*”,
 “Resource”: [
 “arn:aws:s3:::qabucket”,
 “arn:aws:s3:::qabucket/*”,

]
 },
 {
 “Sid”: “AllowListingOfUserFolder”,
 “Action”: [
 “s3:ListBucket”
 ],
 “Effect”: “Allow”,
 “Resource”: [
 “arn:aws:s3:::prodbucket”
 ],
 “Condition”: {
 “StringLike”: {
 “s3:prefix”: [
 “folder1/*”
 ]
 }
 }
 },
 {
 “Sid”: “AllowGetActionsInUserFolder”,
 “Action”: [
 “s3:GetObject”
 ],
 “Effect”: “Allow”,
 “Resource”: [
 “arn:aws:s3:::prodbucket/folder1/*”
 ]
 }
 ]
 }

Advisory :- Please do a complete testing before implementing this in your environment. It may not work as expected in your environment because of the modification rights granted to users.

Be Sociable. Share It. Happy Learning!

Cloud Vedas

S3 CROSS ACCOUNT ACCESS WITH FOLDER RESTRICTION

No comments:

Post a Comment