Understanding Cross-Account Access to S3 Buckets with IAM Roles

all aws amazon s3 aws security aws storage s3 security Feb 06, 2024


Navigating the AWS landscape, especially when it comes to accessing resources across different accounts, can seem daunting at first. However, AWS simplifies this process through the use of IAM (Identity and Access Management) roles. In this post, we'll explore how we can leverage cross-account IAM roles to access S3 buckets in a different AWS account. This post will try to be straightforward, providing a high-level overview followed by easy steps to achieve cross-account access.

Understanding Cross-Account Access

Cross-account access allows users or services in one AWS account to access resources in another AWS account. This is particularly useful in scenarios where businesses have multiple AWS accounts for different environments (development, testing, production) or departments (IT, Finance, HR) and need to share data stored in Amazon S3 buckets across these accounts securely.

High-Level Overview

To facilitate cross-account access to an S3 bucket, we essentially need to perform two main tasks:

  1. Create an IAM Role in the Account Owning the S3 Bucket: This role will have policies attached that define what actions are allowed on the S3 bucket (e.g., read-only access) and specify which accounts can assume this role.

  2. Grant Access to the IAM Role from the Other Account: This involves configuring the IAM users, groups, or services in the other account to assume the role created in step 1, enabling them to access the S3 bucket as per the role's policies.

Step-by-Step Guide

Step 1: Create an IAM Role for Cross-Account Access

  1. Log into the AWS Management Console of the account owning the S3 bucket.
  2. Navigate to IAM > Roles > Create role.
  3. Select Another AWS account and enter the Account ID of the account that needs access to your S3 bucket.
  4. Optionally, we can require users to use MFA (Multi-Factor Authentication) to assume the role.
  5. Attach policies that grant the necessary permissions on the S3 bucket. For example, AmazonS3ReadOnlyAccess or a custom policy if we need more specific permissions.
  6. Complete the role creation process and note the Role ARN (Amazon Resource Name).

Step 2: Access the S3 Bucket from the Other Account

  1. Log into the AWS Management Console of the account needing access to the S3 bucket.
  2. Navigate to IAM > Users or Roles (depending on whom we want to grant access).
  3. Edit the policy attached to the user or role to include permission to assume the cross-account role. This is done by adding an action named "sts:AssumeRole" and specifying the ARN of the role created in Step 1.
  4. Use AWS CLI, SDKs, or the AWS Management Console to access the S3 bucket by assuming the cross-account role.


Cross-account IAM roles offer a powerful and secure way to share resources, like S3 buckets, between AWS accounts. By following the steps outlined above, you can set up cross-account access efficiently, ensuring that your data is accessible to the right people or services, regardless of the AWS account they reside in.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.