![]() The S3 bucket policy might look something like this. Because the S3 namespace is global, policies in the remote account can resolve the bucket by name. Lastly, the remote AWS account may then delegate access to its IAM users (or roles) by specifying the bucket name in a policy. First you create a trust relationship with the remote AWS account by specifying the account ID in the S3 bucket policy. ![]() It might not be immediately obvious the first time you do this, so this post is a bit of a primer on cross-account S3 access control, and implementing such with Terraform.Ĭonnecting a remote IAM principle to an S3 bucket involves two distinct steps. Whilst auditing a set of organizational AWS accounts, I wanted to consolidate operational S3 buckets into a single account and grant access as required. Terraform: Cross Account S3 Bucket Access Control Sat, Feb 24, 2018
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |