When working on AWS cross accounts S3 access, I found out that – Only s3:CreateBucket, s3:ListAllMyBuckets and s3:GetBucketLocation 3 actions are allowed to set relative-id of Resource to “*“. For all other bucket actions, you must specify a bucket name. E.g If I want to allow a user from account B to put objects into a S3 bucket in account A. Here is the steps:
1) Create a role (RoleForAccountB) for the root of account B in account A. What it does is to tell account A to trust account B.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::Account_B_ID:root"},
"Action": "sts:AssumeRole"
}
}
2) Attach policy to the role. For example, Get* and List* actions against examplebucket. Unlike S3 bucket policy, you can not specify “Principal” in the IAM role policy. It uses the one that is defined in the IAM role, which is arn:aws:iam::Account_B_ID:root in the example.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3::examplebucket"
}
]
}
3) Go to account B to create a policy to allow assuming the role that is created in account A then attach to the user. Something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::Account_A_ID:role/RoleForAccountB"
]
}
]
}
Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
Jackie Chen's IT Workshop 