AWS Access to Third - Party S3 Buckets

Amazon Simple Storage Service (S3) is a highly scalable, reliable, and cost - effective object storage service provided by Amazon Web Services (AWS). In many real - world scenarios, you may need to access an S3 bucket owned by a third - party. This could be due to data sharing between different organizations, collaborating on a project, or integrating services across multiple AWS accounts. Understanding how to access third - party S3 buckets is crucial for software engineers who work with AWS services, as it allows for seamless data exchange and enhanced interoperability.

Table of Contents#

  1. Core Concepts
  2. Typical Usage Scenarios
  3. Common Practices
  4. Best Practices
  5. Conclusion
  6. FAQ
  7. References

Article#

Core Concepts#

S3 Bucket Ownership#

In AWS, each S3 bucket is owned by an AWS account. The bucket owner has full control over the bucket, including setting permissions, managing access, and deleting objects. When a third - party wants to access a bucket, the bucket owner needs to grant the necessary permissions.

AWS Identity and Access Management (IAM)#

IAM is a service that enables you to manage access to AWS services and resources securely. You can use IAM to create users, groups, and roles, and attach policies to them. To access a third - party S3 bucket, you typically use IAM roles and policies. An IAM role is an AWS identity with permissions policies that determine what the role can and cannot do in AWS.

Bucket Policies#

Bucket policies are JSON - based access policy documents that you attach to an S3 bucket. They are used to grant or deny permissions to the bucket and its objects. The bucket owner can use bucket policies to allow access to specific AWS accounts or IAM principals from third - parties.

Cross - Account Access#

Cross - account access refers to the ability of an AWS principal (user, role, etc.) in one AWS account to access resources in another AWS account. When accessing a third - party S3 bucket, you are essentially performing cross - account access.

Typical Usage Scenarios#

Data Sharing between Organizations#

Two different companies may need to share data stored in an S3 bucket. For example, a data provider may store its data in an S3 bucket and allow a data consumer in another AWS account to access it. This is common in industries such as finance, healthcare, and marketing, where data sharing is essential for business operations.

Collaborative Projects#

Multiple teams or organizations may collaborate on a project where they need to share data stored in an S3 bucket. Each team may have its own AWS account, and they need to access a common S3 bucket owned by one of the participating parties.

Service Integration#

When integrating different AWS services across multiple accounts, you may need to access an S3 bucket in a third - party account. For example, a Lambda function in one account may need to read data from an S3 bucket in another account.

Common Practices#

Using Bucket Policies#

The bucket owner can create a bucket policy to allow access to a specific AWS account or IAM principal. Here is an example of a bucket policy that allows a specific AWS account to read objects from a bucket:

{
    "Version": "2012 - 10 - 17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::THIRD_PARTY_ACCOUNT_ID:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

In this example, replace THIRD_PARTY_ACCOUNT_ID with the ID of the third - party AWS account and YOUR_BUCKET_NAME with the name of the bucket.

Creating IAM Roles#

The third - party can create an IAM role in their own account that trusts the bucket - owning account. The role should have permissions to access the S3 bucket. Here is an example of an IAM role trust policy:

{
    "Version": "2012 - 10 - 17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::BUCKET_OWNING_ACCOUNT_ID:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

And the permissions policy for the role to access the S3 bucket:

{
    "Version": "2012 - 10 - 17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::THIRD_PARTY_BUCKET_NAME",
                "arn:aws:s3:::THIRD_PARTY_BUCKET_NAME/*"
            ]
        }
    ]
}

Replace BUCKET_OWNING_ACCOUNT_ID with the ID of the bucket - owning account and THIRD_PARTY_BUCKET_NAME with the name of the third - party bucket.

Using the AWS SDK#

The third - party can use the AWS SDK (e.g., AWS SDK for Python - Boto3) to access the S3 bucket. Here is an example of using Boto3 to list objects in a third - party S3 bucket:

import boto3
 
# Assume the role
sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
    RoleArn='arn:aws:iam::BUCKET_OWNING_ACCOUNT_ID:role/ThirdPartyAccessRole',
    RoleSessionName='AssumeRoleSession1'
)
 
# Get the temporary credentials
credentials = assumed_role_object['Credentials']
 
# Create an S3 client using the temporary credentials
s3_client = boto3.client(
    's3',
    aws_access_key_id=credentials['AccessKeyId'],
    aws_secret_access_key=credentials['SecretAccessKey'],
    aws_session_token=credentials['SessionToken']
)
 
# List objects in the bucket
response = s3_client.list_objects_v2(Bucket='THIRD_PARTY_BUCKET_NAME')
for obj in response.get('Contents', []):
    print(obj['Key'])

Best Practices#

Least Privilege Principle#

When granting access to a third - party S3 bucket, follow the least privilege principle. Only grant the minimum permissions necessary for the third - party to perform their tasks. For example, if they only need to read objects, do not grant write or delete permissions.

Regularly Review Permissions#

Periodically review the permissions granted to third - parties to ensure that they are still necessary. Remove any unnecessary permissions to reduce the security risk.

Use MFA and Encryption#

Enable Multi - Factor Authentication (MFA) for the IAM roles used to access the third - party S3 bucket. Also, ensure that the data in the bucket is encrypted at rest and in transit to protect its confidentiality and integrity.

Conclusion#

Accessing third - party S3 buckets in AWS is a powerful feature that enables data sharing, collaboration, and service integration across multiple AWS accounts. By understanding the core concepts such as bucket ownership, IAM, bucket policies, and cross - account access, software engineers can implement secure and efficient solutions for accessing third - party S3 buckets. Following common practices and best practices ensures that the access is both secure and compliant with security standards.

FAQ#

Q1: Can I access a third - party S3 bucket without the bucket owner's permission?#

A1: No, you need the bucket owner to grant you the necessary permissions through bucket policies or other means.

Q2: What if the third - party account has different AWS regions?#

A2: You can still access the S3 bucket. The AWS SDK and services are designed to work across regions. However, you may need to consider the network latency and data transfer costs.

Q3: How can I revoke access to a third - party S3 bucket?#

A3: The bucket owner can modify the bucket policy to remove the permissions granted to the third - party. The third - party can also delete the IAM role used to access the bucket.

References#

2025-10