Cross-Account Access for Bucket Objects in S3 Beat

This section explains how to configure access for AWS S3 bucket objects across accounts.

Prerequisites

• At least two accounts in AWS (in this example, account A and account B)
• An AWS S3 bucket for account A (bucket owner) in region R
• AWS SQS (simple queue service) for account B in region R

Create an AWS S3 Bucket

1. Sign in to the AWS Management Console.

2. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ with the login credentials for account A.

3. Click Create bucket.

   The Create bucket wizard appears.

4. In the Bucket name field, enter a DNS-compliant name for your bucket. The bucket name must:

   • Be unique across all of Amazon S3.

   • Be between 3 and 63 characters long.

   • Not contain uppercase characters.

   • Start with a lowercase letter or number.

5. In the Region field, choose the AWS Region where you want the bucket to reside. In this case, choose region R.

6. In Bucket settings for Block Public Access, select the Block Public Access settings that you want to apply to the bucket.

   

   Do not clear the Block all public access default settings.

7. Click Create bucket. In this example, it is named bucket X.
   

Create an AWS SQS

Follow the instructions in Create a Simple Queue Service (SQS) in AWS using credentials for account B, ensuring that the SQS you create is in region R.

In this example, the queue is called queue Q.

Add Necessary Permissions in Bucket X to allow Account B to Access Its Objects

1. Go to https://console.aws.amazon.com/s3/ and type bucket X in the search box. Click the bucket in the drop-down list.

2. Click the Permissions Tab.
   

   

3. Click Access Control List.
   

   

4. Click Add account.
   

   

   
   

5. Enter the Canonical ID of account B.

   

   To find the Canonical ID of your account, follow the steps in Get Canonical ID.

   
   

   

6. Verify the List objects and Read bucket permissions, and then click Save.
   

   

   
   Those permissions are added to your account.
   

   

7. Click the Bucket Policy tab.
   

   

   
   

8. Paste the bucket policy below into the editor space.

   

   Replace account B and bucket X with correct values.

   

   {
   "Version": "2012-10-17",
   "Statement": [
   {
   "Sid": "Example permissions",
   "Effect": "Allow",
   "Principal": {
   "AWS": "arn:aws:iam::account B:root"
   },
   "Action": [
   "s3:GetBucketLocation",
   "s3:ListBucket"
   ],
   "Resource": "arn:aws:s3:::bucket X"
   },
   {
   "Sid": "permissions 2",
   "Effect": "Allow",
   "Principal": {
   "AWS": "arn:aws:iam::account B:root"
   },
   "Action": "s3:GetObject",
   "Resource": "arn:aws:s3:::bucket X/*"
   }
   ]
   }

9. Click Save.

Configure SQS Events in Bucket X

1. Log in to https://console.aws.amazon.com/s3/ with the credentials for account A.

2. In the search bar, enter bucket X.

3. Click the name of the bucket, and then click the Properties tab.

   

4. Under Advanced settings, click Events.
   

   

5. Click Add notification.
   

   

6. Configure the following permissions:

   1. Name. Enter any name.

   2. Events. Select the events you need to be notified of—for example, All object create events.

   3. Send To. select the destination queue where you want to send events. In this example, click Add SQS queue ARM, as the queue resides in a different account.

      

   4. Enter the ARN of the SQS. For example, arn:aws:sqs:region R:account B:queue Q.
      

      

      
      

7. Click Save.
   

8. If you have correctly configured the event, the tile displays active notifications.

   

9. Add the above configuration in s3beat service by providing following input values:

• • Access ID for Account B
  • Secret access ID for Account B
  • queuename:region (for example, queueQ:regionR)

You can now access the bucket X objects in account A from account B.

To start the s3beat service, see Initialize the AWS S3 Beat.