Skip to content

Instantly share code, notes, and snippets.

@daxroc
Last active June 2, 2017 15:44
Show Gist options
  • Save daxroc/8ff94aed524a4a06888855cd2f2935b6 to your computer and use it in GitHub Desktop.
Save daxroc/8ff94aed524a4a06888855cd2f2935b6 to your computer and use it in GitHub Desktop.
AWS Federated S3 Read Only Bucket and IAM policy

Problem

You want to share content from an S3 Bucket in one account with several others but constraining it to read only access.

Set Bucket Policy

You'll need to add the below s3 bucket policy to your bucket.

Create an IAM policy

Create an IAM Policy as defined below. This will need to be created in each of the accounts you wish to federate read access to.

Attach policy to a role

Next you'll need to attach the policy to an IAM instance role or such.

Done..

If using IAM role attached to an ec2 instance you should be capable of listing and syncing objects using the awscli tool.

aws s3 sync s3://shared-example-bucket/zObject.example ./

Enjoy!

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlySharedBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::shared-example-bucket/*",
"arn:aws:s3:::shared-example-bucket"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyForAccABC",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account_a:root",
"arn:aws:iam::account_b:root",
"arn:aws:iam::account_c:root"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::shared-example-bucket/*",
"arn:aws:s3:::shared-example-bucket"
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment