Amazon S3 (Simple Storage Service) is one of the most powerful and popular services offered by AWS. However, in multi-account architectures, accessing S3 buckets across different AWS accounts can be tricky. This is where AWS cross account S3 access comes in.
In this blog, we’ll break down what cross-account access is, why it’s used, and how you can set it up securely using best practices.
What is AWS Cross Account S3 Access?
AWS cross account S3 access refers to the ability for one AWS account (Account B) to access or manipulate an S3 bucket owned by another AWS account (Account A). This is especially useful for organizations using multiple AWS accounts for development, testing, or billing separation.
Why Use Cross Account Access in S3?
There are several scenarios where AWS cross account S3 access becomes essential:
- Sharing logs or reports between teams
- Centralizing backups across different environments
- Allowing third-party vendors or clients controlled access
- Simplifying data workflows in multi-account setups
Using IAM roles and bucket policies, you can ensure secure and controlled access across accounts.
How to Set Up AWS Cross Account S3 Access
There are two common ways to enable cross account S3 access:
1. Using Bucket Policy (Recommended for Read-Only Access)
You can allow another account to access your bucket by editing the bucket policy like this:
jsonCopyEdit{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
2. Using IAM Role (Recommended for Write Access or More Control)
Create a role in Account A with a trust relationship allowing Account B to assume it. Then allow the role to perform actions on the bucket.
Trust Relationship in Role:
jsonCopyEdit{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
},
"Action": "sts:AssumeRole"
}
Then, Account B can assume the role using the AWS SDK or CLI.
Best Practices for Cross Account S3 Access
- 🔐 Use least privilege: Only allow necessary actions (e.g.,
GetObject,PutObject). - ✅ Use IAM roles over long-term credentials.
- 📁 Enable S3 access logging to monitor access patterns.
- 🔄 Rotate access roles and review policies regularly.
- 🔑 Use KMS encryption with proper cross-account key permissions for sensitive data.
Common Issues and Fixes
- Access Denied Error: Check if both the bucket policy and IAM role allow access.
- KMS Decryption Failure: Ensure both accounts are allowed to use the KMS key.
- Object Not Found: Verify the path and permissions.
Conclusion
Setting up AWS cross account S3 access is a smart way to share resources securely across multiple AWS accounts. Whether you’re a developer, DevOps engineer, or cloud architect, understanding how to configure this access properly can save you time, money, and frustration.
Need help managing your AWS accounts or automating cross-account setups? You can also explore verified AWS accounts or consult with AWS-certified partners for the best solutions.