Grant External Users Access to Your Amazon S3 Bucket

07 Jun 2019 in Blog

Generic Description

Take the scenario where an external client needs the ability to upload objects to an S3 bucket that you own.

Things that you will need from the external party

• Their AWS account ID (ie. 1234-5678-1234)

Create the S3 bucket

1. Enter the bucket name and region
2. Select default encryption (SSE-S3 or AES-256)
3. Ensure that public access is never granted by using the defaults enabled:
   • Manage public access control lists (ACLs) for this bucket:
     • Block new public ACLs and uploading public objects
     • Remove public access granted through public ACLs
   • Manage public bucket policies for this bucket
     • Block new public bucket polices
     • Block public and cross-account access if bucket has public polices
4. Ensure encryption in transit by adding the following bucket policy in the Permissions tab:

    {"Statement": [{"Action": "s3:*",
                    "Effect":"Deny",
                    "Principal": "*",
                    "Resource":"arn:aws:s3:::BUCKET_NAME/*",
                    "Condition": {"Bool": {"aws:SecureTransport": false}}
                    }]
    }
   

5. Enable S3 Server Access Logging
   • Choose a target bucket in the Properties tab

      Target bucket = aws-logs-XXXXXXXXX-us-east-1
      Target prefix = s3/CLIENT_NAME/
     

Create an IAM Policy for the role

1. Create a new policy named “CLIENT_NAME-ExtRole” using the following:

    {"Version": "2012-10-17",
     "Statement": [{"Effect": "Allow",
                    "Action": ["s3:ListBucket"],
                    "Resource": ["arn:aws:s3:::BUCKET_NAME"]},
                   {"Effect": "Allow",
                    "Action": ["s3:PutObject",
                               "s3:GetObject",
                               "s3:DeleteObject"],
                    "Resource": ["arn:aws:s3:::BUCKET_NAME/*"],
                   }]
    }
   

Create an IAM role

1. Create a new role using Another AWS account.
   • enter the external party’s AWS account ID
   • Choose Require External ID and enter a unique ID HMI-CLIENT_NAME
2. Attach the previously-created IAM policy.

Handoff

Provide the external party with the following information:

S3 Bucket       = BUCKET_NAME
Role ARN        = arn:aws:iam::OUR_AWS_ACCOUNT_ID:role/CLIENT_NAME-ExtRole
STS External ID = HMI-CLIENT_NAME
Attach IAM Policy to External User = {"Version": "2012-10-17",
                                      "Statement": [{
                                             "Effect": "Allow",
                                             "Action": "sts:AssumeRole",
                                             "Resource": "arn:aws:iam::OUR_AWS_ACCOUNT_ID:role/CLIENT_NAME-ExtRole"
                                                     }]
                                     }