If you followed along with the previous section, remove the ACL granted on account A before proceeding with the following steps:
- Create a bucket policy that explicitly allows our non-administrator user, testuser, from account B to perform a PutObject action. Also, make sure that the user gives full control to the bucket owner through a canned ACL. Save the file as bucket-policy-write-another-account-user.json:
{
"Id": "SomeUniqueId1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllPutForOtherAccountUser",
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::awsseccookbook/*",
"Condition": {
"StringEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
},
"Principal": {
"AWS": [
"arn:aws:iam::380701114427:user/testuser"
]
}
}
]
}
- Attach the bucket policy to the bucket:
aws s3api put-bucket-policy
--bucket awsseccookbook
--policy file://resources/bucket-policy-write-another-account-user.json
--profile awssecadmin
- Attach a policy in account B to the non-administrator user, testuser, which allows the s3:PutObject and s3:PutObjectAcl actions. This step has already been performed in the previous section. If you haven't already done this in the previous section (or if you deleted the policy), work through the previous section to complete it.
- Upload image as testuser from account B to a bucket in account A with and without canned ACLs:
Here, we used a bucket policy to ensure that the user from account B provides full control to the bucket owner in account A using canned ACLs; otherwise the upload will fail.