In your AWS account A, there is an S3 bucket that contains artifacts that need to be fetched by an IAM user in another AWS account B.
The S3 bucket has the below bucket policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountB:user/AccountBUserName" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::AccountABucketName/*" ] } ] } However, the IAM user in account B still cannot get objects in the S3 bucket.
Which one may cause the failure?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because to provide the access, you need two things: S3 bucket policy on account A for account B IAM user to access and then in Account B, the IAM user needs to have an allow access for the S3 bucket in the IAM policy (This is missing).
Option B is incorrect because the resource “arn:aws:s3:::AccountABucketName” is unnecessary and would not provide the necessary permission.
Option C is incorrect because "s3:GetObjectACL" is not required.
This case only needs "s3:GetObject".
Option D is incorrect because there is no mention of an IAM user in account B to assume a cross-account role in this particular scenario.
Instead, as long as the user is given an "s3:GetObject" permission to the S3 bucket, it should be able to get objects in the bucket.
For more information on cross-account S3 bucket object access, do refer to the URL provided below.
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/The bucket policy provided in the question allows an IAM user in AWS account B to fetch (Get) and upload (Put) objects to an S3 bucket in AWS account A. The policy also allows the IAM user in AWS account B to manage object-level permissions using the s3:PutObjectAcl action.
However, the IAM user in AWS account B still cannot get objects in the S3 bucket. To identify the root cause of the issue, let's examine each of the options:
A. The IAM user in account B does not have IAM permission to get an object in the particular S3 bucket. This option seems plausible, as it's possible that the IAM user in AWS account B may not have permission to perform the GetObject action. To check if this is the issue, we can verify that the IAM user in AWS account B has been granted permission to perform the s3:GetObject action on the S3 bucket in question. We can also verify if the IAM user in AWS account B has permission to perform actions like s3:ListBucket and s3:ListObjects to determine if they can see the objects in the bucket.
B. The Resource in bucket policy should include “arn:aws:s3:::AccountABucketName”. This option is not the root cause of the issue because the bucket policy's Resource attribute already includes “arn:aws:s3:::AccountABucketName/*”. This allows the IAM user in AWS account B to access any object in the S3 bucket.
C. The Action in bucket policy should add the action of "s3:GetObjectACL". This option is not the root cause of the issue because the bucket policy's Action attribute already includes s3:GetObject. This action allows the IAM user in AWS account B to get the object data, which is different from the object ACL.
D. The Principal in bucket policy should add a cross-account IAM role assumed by the IAM user in account B. This option seems plausible because the bucket policy's Principal attribute only includes the IAM user in AWS account B, but it's possible that the IAM user in AWS account B is using an IAM role to access the S3 bucket in AWS account A. To check if this is the issue, we can verify that the IAM user in AWS account B is using an IAM role to access the S3 bucket in AWS account A. If so, we can add the cross-account IAM role to the bucket policy's Principal attribute.
In summary, the root cause of the issue could be either option A or option D. To determine the actual cause, we need to verify if the IAM user in AWS account B has permission to perform the s3:GetObject action and if they are using an IAM role to access the S3 bucket in AWS account A.