AWS S3 Cross Account Access

AWS S3 Cross Account Access

In a multi account AWS setup, you might have a central S3 bucket for dumping RDS backups.
However if Account DEV dumps the RDS backup file/s in to the shared S3 bucket, let’s say which sits inside Account SHARED, when you try to read that backup file with an IAM user from Account SHARED you are going to get access denied error. This is how you can fix it.

First let’s see who is the ower of the target S3 object

$ aws   --profile AccountSharedProfile \
        --region us-east-1 s3api get-object-acl \ 
        --bucket AccountSharedBucket \ 
        --key ObjectInAccountSharedBucket

Then we can fix the acl on that S3 object so we can read it from Account SHARED
(AccountBProfile musth have enough priviledges to make this change)

aws     --profile AccountBProfile \ 
        --region us-east-1 s3api put-object-acl \ 
        --bucket AccountAbucket \ 
        --key ObjectInAccountA \ 
        --acl bucket-owner-full-control