Part 3 – Providing cross-account Amazon S3 access for AWS KMS-encrypted objects

November 1, 2016 |

Part 1 and Part 2 of this blog series focused on the steps to be performed on the account that hosted the KMS encrypted bucket and on the other end, the third party account being granted access. We were able to successfully grant access to the third party to copy the objects from our encrypted S3 bucket. In this final part, we will look at syncing directly between the buckets.

Syncing buckets across accounts

Referring back to our diagram in the previous blog post, we can see that Account B also has its own S3 bucket. What if User B wants to sync objects directly from our encrypted bucket in Account A back to the S3 bucket in Account B?

The problem we run into here is that User B has assumed the role we created in Account A, leaving behind any policies and access originally granted to User B. We will have to grant access from our cross-account role in Account A back into the S3 bucket in Account B, with the following modifications:

  1. Update the IAM Policy in Account A that we attached to our IAM Role to allow cross-account access to the S3 bucket in Account B.
  2. Update the bucket policy for the S3 bucket in Account B to allow cross-account access from the IAM Role in Account A.

This access from the IAM Policy in Account A back to the S3 bucket in Account B is shown in the following diagram:

S3 Cross Account Access With Encryption
S3 Cross Account Access With Encryption

The Updated IAM Policy in Account A

First, Account A must update the IAM Policy to allow access from the Account A IAM Role to the S3 bucket in Account B. Appending the necessary statement results in the following updated version of the IAM Policy from Step 1 in the previous blog posts:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::ACCOUNT-A-BUCKET-NAME",
                "arn:aws:s3:::ACCOUNT-A-BUCKET-NAME/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::ACCOUNT-B-BUCKET-NAME",
                "arn:aws:s3:::ACCOUNT-B-BUCKET-NAME/*"
            ]
        }
    ]
}

The Updated Bucket Policy in Account B

Now, we must create or modify the policy on the S3 bucket in Account B to actually grant incoming access to the bucket from the IAM Role in Account A:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNT-NUMBER-A:role/ACCOUNT-A-IAM-ROLE"
                ]
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::ACCOUNT-B-BUCKET-NAME",
                "arn:aws:s3:::ACCOUNT-B-BUCKET-NAME/*"
            ]
        }
    ]
}

We can now use the CLI tool to directly sync the contents of the bucket in Account A to the bucket in Account B:

$ aws s3 sync --sse aws:kms --profile USER-B-CROSS-ACCOUNT-PROFILE s3://ACCOUNT-A-BUCKET-NAME/ s3://ACCOUNT-B-BUCKET-NAME/

 

As you can see, with a little bit of engineering you can have the best of both worlds, securing your encrypted data on Amazon S3 with the ease of handling keys with AWS KMS and at the same time, you can also securely share the encrypted information to other specific users in third-party accounts for those that need access to specific pieces of data. If you are interested in having our team help you in your projects, please contact us at info@reancloud.com. Also, if you like these kind of problems and want to join our team please contact us at careers@reancloud.com or visit us at http://www.reancloud.com/company/careers/.

Read the Part 2 of this blog series here.

Other Blog Posts

Blog

Top 5 Reasons to Utilize Cloud Computing in Financial Services
Read More
Blog

Is Migrating to the Cloud Safe for Financial Sector Companies?
Read More
Blog

REAN Cloud is one of the few AWS Premier Partners to achieve both AWS DevOps Competency and MSP Designation
Read More
Blog

7 Ways DevOps Can Save Your Company…Time and Money
Read More
Request Consultation
close slider