Providing Vendor Access to S3 Bucket in AWS Account

Granting Vendor Access to an S3 Bucket: Step-by-Step Guide

Prev Question Next Question

Question

There is a requirement for a vendor to have access to an S3 bucket in your account.

The vendor already has an AWS account.

How can you provide access to the vendor on this bucket.

Answers

A. Create a new IAM user and grant the relevant access to the vendor on that bucket.

B. Create a new IAM group and grant the relevant access to the vendor on that bucket.

C. Create a cross-account role for the vendor account and grant that role access to the S3 bucket.

D. Create an S3 bucket policy that allows the vendor to read from the bucket from their AWS account.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

The AWS documentation mentions.

You share resources in one account with users in a different account.

By setting up cross-account access in this way, you don't need to create individual IAM users in each account.

In addition, users don't have to sign out of one account and sign into another in order to access resources that are in different AWS accounts.

After configuring the role, you see how to use the role from the AWS Management Console, the AWS CLI, and the API.

For more information on Cross Account Roles Access, please refer to the below link:

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

In this scenario, the requirement is to provide access to a vendor's AWS account to read from an S3 bucket in your AWS account. There are different ways to achieve this goal, but the recommended approach is to use IAM (Identity and Access Management) to create a cross-account role for the vendor's AWS account and grant that role access to the S3 bucket.

Option A and B are not recommended as they involve creating an IAM user or group for the vendor, which can be more difficult to manage and may not scale well for multiple vendors or users.

Option D involves creating an S3 bucket policy to allow access to the vendor's AWS account, which can be a viable solution but may not provide the same level of control and granularity as using IAM.

Therefore, Option C is the best option for providing the vendor access to the S3 bucket.

Here are the steps to create a cross-account role for the vendor account and grant access to the S3 bucket:

In your AWS account, go to the IAM console and select "Roles".
Click on the "Create role" button.
Select "Another AWS account" as the trusted entity and enter the account ID of the vendor's AWS account.
Check the "Require external ID" checkbox and enter an external ID that will be used to establish the trust between the two accounts.
Select the policy that grants access to the S3 bucket, or create a new policy that specifies the required permissions.
Review and confirm the details of the role, and then click "Create role".
In the vendor's AWS account, the vendor must create an IAM user or role with permissions to assume the cross-account role you created in step 6.
The vendor can then use the AWS STS (Security Token Service) to assume the cross-account role and access the S3 bucket in your AWS account.

By using a cross-account role, you can grant the vendor temporary access to the S3 bucket while maintaining control over the permissions and access policies. Additionally, the vendor can only access the resources that are explicitly granted by the role, reducing the risk of unauthorized access or data breaches.

Prev Question Next Question