There's more...

Account A can grant access to its S3 resources to account B in one of the following ways:

  • The account A administrator grants access to account B through a bucket policy or ACL. The account B administrator delegates that permission to a user using a user policy. The user in account B can then access the S3 resources in account A according to the permissions granted to them. In this recipe, we followed this approach using ACL in the Uploading to a bucket in another account section, and the same is also possible with a bucket policy. 
  • The account A administrator grants access directly to a user in account B through a bucket policy. The account B administrator still has to delegate permission to the user using a policy. The user in account B can then access the S3 resources in account A according to the permissions granted to them. In this recipe, we followed this approach in the Uploading to a bucket in another account with a bucket policy section.
  • The account A administrator creates a role with the required permissions to its S3 resources in account A. The role will have a trust relationship with account B as a trusted entity and account A as the trusting entity. The account B administrator delegates that permission to a user using user policy. The user in account B can then assume that role and access the S3 resources in account A in accordance with the permissions granted to them. We saw a variation of IAM role-based, cross-account access in Chapter 1Managing AWS Accounts with IAM and Organizationsin the Switching role with AWS organizations recipe.

Let's quickly go through some scenarios to understand cross-account policies better:

  • Account A created a bucket and gave PutObject ACL permissions to everyone (public access):
    • Can a user from the same AWS account with no permissions (no policies attached) upload a file to that bucket from the AWS CLI? Yes.
    • Can a user from another AWS account with no permissions (no policies attached) upload a file to that bucket from the AWS CLI? No.
    • Can an administrator user from another AWS account upload a file to that bucket from the AWS CLI? Yes.
  • Account A created a bucket and gave PutObject ACL permissions to account B using the account's canonical ID:
    • Can a user with no permissions (no policies attached) from account B upload a file to that bucket from the AWS CLI? No.
    • Can an administrator user from account B upload a file to that bucket from the AWS CLI? Yes.
  • Account B uploaded a file to account A with cross-account access and no canned ACL (equivalent to the canned private ACL).
    • Can a user with no permissions (no policies attached) from the bucket owner account read that object? No.
    • Can an administrator user from the bucket owner account read that object? No.
    • Can an administrator user from the bucket owner account delete that object? Yes.
  • Account A created a bucket and gave the PutObject permission directly to a user, testuser, in account B through a bucket policy. 
    • Can testuser upload to a bucket in account A without additional permissions in account B? No, they still need to have the PutObject permission to the bucket assigned through a user policy within account B.
    • Can an administrator in account B upload to a bucket in account A? No, we have explicitly granted permission to testuser.
  • Can the account B administrator delegate more access to its users than it was granted by account A? This will not result in an error, but it will not have any impact as the permissions will be evaluated again from account A.
  • Can we enforce the usage of canned ACL through a bucket policy? Yes, using a condition that checks the value of the s3:x-amz-acl condition key, for example, for the bucket-owner-full-control value.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.165.115