aws permission iam group in another account access

Question

I have a system with 2 AWS Accounts, and I want an IAM group on account 2 to access a bucket on account 1.

Account 1 has a large car database and an S3 bucket with files for each car.

Account 2 does the communication (SNS/SQS) with a lot of physical machines, which each has their own IAM user, but are all a member of the robots-group.

I want the machines with IAM users in Account 2 to be able to access files in an S3 bucket on Account 1.

But apparently, a group cannot be used as a principal. What other options do I have here, if I want a simple setup where I don't need to update the bucket policy in Account 1 every time an IAM user is added in the robots-group in Account 2?

This is the policy I'm trying to apply to my bucket:

{
  "Id": "Policy1683211206707",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1683211201070",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::company-vehicle-configurations-test/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567890:group/robots-group"
        ]
      }
    }
  ]
}

And the result:

    "errorType": "MalformedPolicy",
    "errorMessage": "Invalid principal in policy",

user3553031 · Answer 1 · 2023-05-06T00:54:22.847

You're correct, groups aren't principals and you can't assign permissions to them. However, you can assign permissions to tags.

Attach a policy to all of the principals in Account2 that need to access the S3 Bucket that permit them that access:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::company-vehicle-configurations-test/*"     }
  ]
}
```
This isn't sufficient on its own because the Bucket is in a different account and one account's admin can't arbitrarily grant access to resources in another account.
Tag all of the principals in Account2 that you want to be able to access the S3 Bucket. I'm going to use "s3access: true" for my example, but you can use whatever you want.

Put a Bucket Policy on your S3 Bucket that allows access from all principals in Account2 that have the tag "s3access: true":

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::company-vehicle-configurations-test/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567890:root"
        ]
      },
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/s3access": "true"
        }
      }
    }
  ]
}

Note that the tagging and tag-based permissions in this answer are not necessary to make this work; without them, this answer is identical to erik258's answer. If you don't trust the admins of Account2, then asking for tagging is pointless: an untrusted admin can give the required tag to any principal that it wants. However, if you are also the admin of Account2, or if you trust that admin, then using tags as described here can be a way to emulate giving permission to a group rather than to all principals in Account2.

Why is it necessary to put that tag on the principals? It seems to work fine without the tag condition - what am I missing? — Esben von Buchwald, May 04 '23 at 20:46
Yes, it does work with out the tagging. The tagging is just a way to emulate giving permission to a group rather than to all principals in Account2. Whether this is important or not in your scenario is up to you. Once you've given permission to another account, you're at the mercy of that account's admins: an admin in that account could allow principals who you don't trust to access your data, give them tags that will cause them to match your Bucket Policy statements, etc. — user3553031, May 04 '23 at 22:16
Thank you for the explanation. But the admin of account 2 can also just add the s3access: true tag to the principals that he wants to grant access, right? — Esben von Buchwald, May 05 '23 at 23:05
Yes. So the tagging may be of value if you are also the admin of Account2, or if you trust that admin: it gives you a convenient way to control what users are allowed access. It is of no value if the admin of Account2 is untrusted for the reason that you describe. — user3553031, May 06 '23 at 00:50

score 0 · Accepted Answer · answered May 04 '23 at 15:38

In the bucket policy, you can allow the Account2 account principal arn:aws:iam::1234567890:root. This allows any user, role, or group in Account2 to interact with the bucket, only if their IAM policies allow that access.

This essentially delegates further access control to the IAM policies attached to Account2 users, groups and roles. Which is what you essentially want, since you don't want Account1 to own the group's permissions, nor to have to enumerate Account1's users allowed to access the bucket.

Thank you for the tip with the root user as principal and then a permission on the group! This works great — Esben von Buchwald, May 04 '23 at 20:44

aws permission iam group in another account access

2 Answers2