cross-account-access between 3 AWS accounts using

2019-08-29 07:48发布

问题:

We have a service in AWS-Account-A which will copy some files with ACL: 'bucket-owner-full-control' to a s3 bucket in AWS-Account-B . Now there is a AWS-Account-C which already have a assumeRule ( which a S3 Read access policy is attached to it ) from AWS-Account-B, and S3 bucket policy already gave read access to AWS-Account-C rules, So the problem is, AWS-Account-C : Can't read those files which uploaded from AWS-Account-A and only CAN read files which uploaded using AWS-Account-B itself.

I know it's a reallay compliated secnario, but as far as I understand, it's a ownership problem. The bucket policy applies only to objects that are owned by the bucket owner, So it's like , X own some files, and he copy it to Y, now Z can't get it from Y, because it's not owned by Y.

If anyone faced to this kind of sencarios before and have solution, I really appreciate it to give some guidance.

回答1:

Your problem is that you used Account-A to copy files to a bucket owned by Account-B but now the copied files are owned by Account-A. This is why Account-C cannot access them. Account-C does not have the required permission.

The correct procedure is to create a role in Account-B to be assumed by Account-A. Then before Account-A copies file to the bucket in Account-B, it assumes the Account-B role. Now files copied to the bucket will be owned by Account-B.

For the files currently in the Account-B bucket, while using Account-B's credentials do an inplace copy. This will switch the ownership to Account-B.

Here is an example inplace copy. Note: No data is transferred over the internet just within S3 so it executes quickly.

aws s3 cp s3://mybucket/mykey s3://mybucket/mykey --storage-class STANDARD

The '--recursive' argument to apply to an entire folder of keys.

Warnings:

1) All custom metadata and existing permissions will be lost.

2) Ensure you have backups of your data prior to executing a command such as this.