Part 2 – Providing cross-account S3 access for KMS-encrypted objects

October 5, 2016 |

In this three part series, we’re looking at ways to grant permission to a third party AWS account to access objects in our S3 bucket with Server Side Encryption (SSE) activated. Part 1 of this blog series focused on the steps to be performed on the account that hosted the KMS encrypted bucket. This part focuses on the other end, the third party account being granted access.

Step 3: IAM Policy for User B

We’ve got the necessary pieces set up on our end, but now User B needs a policy statement allowing the user to assume the role that we just created in our account. A sample policy looks like the following:

{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::ACCOUNT-NUMBER-A:role/ACCOUNT-A-IAM-ROLE"
  }
]
}

Using our new Role

Let’s say that User B wants to use the cross-account role to copy all objects from the bucket to a local directory. The easiest way to use a cross-account role with the AWS CLI tool is to create an additional profile in your AWS CLI configuration.

Add AWS CLI profile:

User B adds the following to the AWS CLI config file (~/.aws/config on Unix-based systems):

[profile USER-B-CROSS-ACCOUNT-PROFILE]
role_arn = arn:aws:iam::ACCOUNT-NUMBER-A:role/ACCOUNT-A-IAM-ROLE
source_profile = ORIGINAL-USER-B-PROFILE
external_id = EXTERNAL-ID-FROM-STEP-2
s3 = signature_version = s3v4

 

  • The source profile is whatever AWS CLI profile User B was previously using with Account B.
  • This assumes that we’ve given User B the External ID that we created with our IAM Role. Without it, User B will not be able to assume the Role.
  • KMS encryption with S3 requires the use of signature version v4, specified in the last line of this config

Use the proper flags for AWS CLI tool:

For this scenario, User B will copy all objects from the S3 bucket in Account A to a local directory:

$ aws s3 cp --sse aws:kms --profile USER-B-CROSS-ACCOUNT-PROFILE s3://ACCOUNT-A-BUCKET-NAME ./ --recursive

Note the following:

  • The 
    --sse aws:kms

    flag tells the CLI tool to configure the necessary request headers for interacting with objects encrypted via KMS.

  • The -profile flag tells the CLI tool to use the new profile in User B’s AWS CLI configuration for cross-account access.

With these steps we successfully grant the third party access to our KMS encrypted S3 bucket. We are looking to create another blog post in the future to go into this in more detail, please contact us at [email protected] if this interests you!

Read the Part 1 of this Blog Series here.

Related Blog Posts

Blog
shutterstock_374648041

Top 5 Reasons to Utilize Cloud Computing in Financial Services
Read More
Blog

Is Migrating to the Cloud Safe for Financial Sector Companies?
Read More
Blog

REAN Cloud is one of the few AWS Premier Partners to achieve both AWS DevOps Competency and MSP Designation
Read More
Blog

7 Ways DevOps Can Save Your Company…Time and Money
Read More