Grant S3 bucket access to all principals in organization

Question

Scenario:

I have 3 AWS root accounts in the same organization.

1. [email protected]
2. [email protected]
3. [email protected]

user1 created an S3 bucket B1. I want user2 and admin to be able to see and browse B1 on their own S3 dashboard. Is this possible? What policy(policies) that I need to create? Where do I create these policies and how to create them?

**The original question has been edited. Some answers below might not be relevant any more

Answer 1

As far as I know, I cannot do the S3 bucket console sharing between root users. I've finally managed to share the bucket created by user1 with an IAM user.

Steps for Root User

1. Login into AWS console and go to IAM
2. Create group
3. Create IAM policy i.e. allowing S3 full access (see below)
4. Attach policy to group
5. Create IAM user
6. For Access type choose AWS Management Console access
7. Add user to the group you created in step 1
8. Follow through until you click on create user button

IAM Policy

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": "s3:*",
         "Resource": "*",
         "Condition": {
            "StringEquals": {
               "aws:PrincipalOrgID": "o-xxxvvvwww8"
            }
         }
      }
   ]
}

EDIT:

After rigorous trial & error testing, it seems that we don't even need bucket policy for this to work. I've removed the bucket policy and it all still works!

Steps for IAM User

1. Log into AWS console as IAM user
2. Go to S3 console. You should be able to see and browse all buckets and objects created by all organization members

Note

Your IAM user would not be able to see the bucket listed on its S3 console dashboard. That shared bucket can only be accessed through direct link. So your root user must provide the URL i.e. https://s3.console.aws.amazon.com/s3/buckets/bucket1/ to your IAM user