Introduction
Sharing S3 buckets across different AWS accounts can be a powerful way to streamline workflows, reduce costs, and improve collaboration between teams. However, it’s important to approach this process with caution, as any missteps can result in security breaches, data loss, or unexpected charges. In this blog, we’ll explore best practices and considerations for securely sharing S3 buckets across AWS accounts, all while using AWS CLI (via CloudShell). Whether you’re a developer, IT professional, or business owner, this guide will help you navigate the complexities of cross-account S3 bucket sharing, and ensure that your data remains secure and accessible.
Prerequisites
- Account A to be the owner of the S3 bucket you want to share
- Account B to be the account that will hold a role to be used to access the S3 bucket in Account A
- Adequate permissions in both AWS accounts to accomplish the tasks
- AWS CLI installed
Account A
- Create a S3 bucket called ‘mybucket2share’
- aws s3 mb mybucket2share
Account B
- Create an EC2 role called ‘ec2role2accessmybucket2share’
- aws iam create-role –role-name ec2role2accessmybucket2share –assume-role-policy-document ‘{“Version”:”2012-10-17″,”Statement”:[{“Effect”:”Allow”,”Principal”:{“Service”:”ec2.amazonaws.com”},”Action”:”sts:AssumeRole”}]}’
- Create policy called mycrossaccounts3bucketpolicy to access the S3 bucket called ‘mybucket2share’
- aws iam create-policy –policy-name mycrossaccounts3bucketpolicy –policy-document ‘{“Version”:”2012-10-17″,”Statement”:[{“Effect”:”Allow”,”Action”:[“s3:“],”Resource”:[“arn:aws:s3:::mybucket2share”,”arn:aws:s3:::mybucket2share/“]}]}’
- Attach the policy to the EC2 role. Here I am creating and using the variable AWS_ACCOUNT_ID which will pull the AWS Account ID for Account B
- AWS_ACCOUNT_ID=$(aws sts get-caller-identity –query Account –output text)
- aws iam attach-role-policy –policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/mycrossaccounts3bucketpolicy –role-name ec2role2accessmybucket2share
- Create an EC2 instance using the latest Linux AMI, using a keypair called mykey, launched in the subnet with the id of subnet-1234, with the security group attached with the id sg-1234, and attach the role created above
- aws ec2 run-instances –image-id $(aws ec2 describe-images –owners amazon –filters ‘Name=name,Values=amzn2-ami-hvm-2.0.????????-x86_64-gp2’ –query ‘Images[*].[ImageId, CreationDate]’ –output text | sort -k2 -r | head -n1 | awk ‘{print $1}’) –count 1 –instance-type –key-name mykey –security-group-ids sg-1234 –subnet-id subnet-1234 –iam-instance-profile Name=ec2role2accessmybucket2share
Back to Account A
- Create a bucket policy to allow full access (modify to your business needs) to the S3 bucket from the EC2 role in Account B
- aws s3api put-bucket-policy –bucket mybucket2share –policy ‘{“Version”:”2012-10-17″,”Statement”:[{“Effect”:”Allow”,”Principal”:{“AWS”:”arn:aws:iam::123456:role/ec2role2accessmybucket2share”},”Action”:[“s3:“],”Resource”:[“arn:aws:s3:::mybucket2share/”]}]}’
Back to Account B
- Log into the EC2
- Create a file called ‘mytestfile.txt’ with the text content of ‘test’ locally to the EC2 instance
- echo ‘test’ > mytestfile.txt
- Test copying a file to the S3 bucket
- aws s3 cp mytestfile.txt s3://mybucket2share/
- Test listing the contents of the bucket to confirm copy action was successful
- aws s3 ls s3://mybucket2share/
Conclusion
In conclusion, sharing S3 buckets across AWS accounts is a powerful tool for collaboration and cost reduction, but it requires careful planning and implementation to ensure security and compliance. By following the best practices and considerations outlined in this article, you can confidently share S3 buckets across accounts, while maintaining control over access, monitoring usage, and enforcing security policies. Remember to regularly review and update your cross-account S3 sharing configurations, and to stay up-to-date with the latest AWS security features and practices. With these steps, you can leverage the full potential of AWS S3 buckets, while keeping your data safe and accessible.