Search code examples
amazon-web-servicesamazon-s3amazon-ec2aws-lambdaamazon-elastic-beanstalk

I want to connect an ec2 instance which is in account A which should be able to access Bucket from both account A and another account B. How?

I saw the official documentation https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/ which says to create role in both account and attach! I had another solution which is create an IAM user in account B and grant it only S3 bucket permissions and config the EC2 Instance in Account B with that user. So if i do that will it work? and can the EC2 instance still access the S3 from the its account?

Solution

  • It appears that your situation is:

    • Amazon EC2 instance in Account A
    • Amazon S3 bucket in Account A (Bucket-A)
    • Amazon S3 bucket in Account B (Bucket-B)
    • You would like the EC2 instance to be able to access both buckets

    You should do the following:

    • Create an IAM Role (Role-A) for the Amazon EC2 instance with:
      • Permission to access Bucket-A, and
      • Permission to access Bucket-B
    • Add a Bucket policy to Bucket-B that permits access to the bucket from Role-A (This will grant "cross-account access")

    That's it! The instance will be able to access Bucket-A due to permissions in the IAM Role, and it will be able to access Bucket-B due to permissions in both the IAM Role and the Bucket Policy.