Allowing S3 Put Operations from Another AWS Account

Amazon Simple Storage Service (S3) is a highly scalable and durable object storage service offered by Amazon Web Services (AWS). In many real - world scenarios, you may need to allow users or resources from one AWS account to perform put operations (upload objects) into an S3 bucket in another AWS account. This can be crucial for data sharing, collaborative projects, or when different teams within an organization manage separate AWS accounts. In this blog post, we will explore the core concepts, typical usage scenarios, common practices, and best practices for enabling S3 put operations from another AWS account.

Table of Contents#

  1. Core Concepts
  2. Typical Usage Scenarios
  3. Common Practice
  4. Best Practices
  5. Conclusion
  6. FAQ
  7. References

Article#

Core Concepts#

AWS Identity and Access Management (IAM)#

IAM is a service that enables you to manage access to AWS services and resources securely. It allows you to create users, groups, and roles, and attach policies to them. Policies are JSON documents that define permissions. When allowing an S3 put operation from another account, IAM policies play a central role in defining who can access the bucket and what actions they can perform.

S3 Bucket Policies#

A bucket policy is a JSON - based access policy that you can attach to an S3 bucket. It can be used to grant permissions to other AWS accounts, IAM users, or groups. Bucket policies are evaluated first when an access request is made to the bucket, and they can be used to allow or deny access at a bucket - wide or object - level.

Cross - Account Access#

Cross - account access refers to the ability of resources or users in one AWS account to access resources in another AWS account. In the context of S3, cross - account access is achieved by setting up appropriate IAM policies and bucket policies to allow the necessary put operations.

Typical Usage Scenarios#

Data Sharing between Departments#

Large organizations often have different departments managing their own AWS accounts. For example, the marketing department may need to upload marketing materials to an S3 bucket managed by the IT department. By allowing cross - account put operations, the marketing department can easily share their data with the IT department for further processing or storage.

Third - Party Data Integration#

Companies may work with third - party vendors who need to upload data to their S3 buckets. For instance, a logistics company may have a third - party shipping provider that uploads shipping data to an S3 bucket for analysis. Allowing cross - account put operations simplifies this data integration process.

Disaster Recovery#

In a disaster recovery scenario, one AWS account may be designated as the backup account. Other accounts can then be configured to upload their critical data to the backup account's S3 bucket. This ensures that in case of a disaster, the data can be recovered from the backup account.

Common Practice#

Step 1: Create an IAM Role in the Destination Account#

In the AWS account that owns the S3 bucket (destination account), create an IAM role. This role will be assumed by the users or resources in the source account. Attach a policy to this role that allows put operations on the specific S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::your - bucket - name/*"
        }
    ]
}

Step 2: Configure the Trust Relationship#

In the IAM role, configure the trust relationship to allow the source AWS account to assume the role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::source - account - id:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Step 3: Create an IAM Policy in the Source Account#

In the source AWS account, create an IAM policy that allows the users or resources to assume the role created in the destination account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::destination - account - id:role/your - role - name"
        }
    ]
}

Step 4: Assume the Role and Perform the Put Operation#

In the source account, use the AWS SDK or AWS CLI to assume the role and then perform the put operation on the S3 bucket in the destination account.

import boto3
 
# Create an STS client
sts_client = boto3.client('sts')
 
# Assume the role
assumed_role_object = sts_client.assume_role(
    RoleArn="arn:aws:iam::destination - account - id:role/your - role - name",
    RoleSessionName="AssumeRoleSession1"
)
 
# Get the temporary credentials
credentials = assumed_role_object['Credentials']
 
# Create an S3 client using the temporary credentials
s3_client = boto3.client(
    's3',
    aws_access_key_id=credentials['AccessKeyId'],
    aws_secret_access_key=credentials['SecretAccessKey'],
    aws_session_token=credentials['SessionToken']
)
 
# Perform the put operation
s3_client.put_object(
    Bucket='your - bucket - name',
    Key='your - object - key',
    Body=b'Your data here'
)

Best Practices#

Least Privilege Principle#

Only grant the minimum permissions necessary for the put operation. For example, instead of allowing full access to the bucket, limit the permissions to only the s3:PutObject action.

Regularly Review and Rotate Credentials#

If using IAM users, regularly review and rotate their access keys to enhance security. Also, review the IAM roles and policies periodically to ensure they still meet the security requirements.

Enable Server - Side Encryption#

Enable server - side encryption on the S3 bucket to protect the data at rest. AWS offers several encryption options, such as SSE - S3, SSE - KMS, and SSE - C.

Monitor and Log Access#

Use AWS CloudTrail to monitor and log all access to the S3 bucket. This helps in detecting any unauthorized access attempts and in auditing the usage of the bucket.

Conclusion#

Allowing S3 put operations from another AWS account is a powerful feature that enables data sharing, collaboration, and integration across different AWS accounts. By understanding the core concepts, typical usage scenarios, common practices, and best practices, software engineers can securely configure cross - account access to S3 buckets. It is important to follow security best practices to ensure the integrity and confidentiality of the data stored in the S3 buckets.

FAQ#

Q: Can I allow multiple source accounts to perform put operations on a single S3 bucket? A: Yes, you can modify the IAM role's trust relationship and bucket policy to allow multiple source accounts to perform put operations.

Q: What if the source account has multiple IAM users? Do I need to create a separate role for each user? A: No, you can create a single IAM role in the destination account and configure the trust relationship to allow the entire source account. Then, create an IAM policy in the source account that allows all relevant IAM users to assume the role.

Q: Is it possible to restrict the put operation to specific objects or prefixes within the bucket? A: Yes, you can modify the IAM policy and bucket policy to restrict the put operation to specific objects or prefixes by adjusting the Resource field in the policy.

References#

2025-10