Sharing

For auditing purposes, you need to grant another account read access to the bucket named “my-secret-bucket” as well as all the files it contains.

At first, you need the account’s ID you want to grant read access to your bucket. This account ID is a string of alphanumeric characters and not the access key or secret access key. For example, similar to the one we’ll use in the example below: 1y283839303033x.

Policy #

In order to grant that account read access, the following policy must be used. Take a look at the Action and Effect contained in the policy as they have an impact on what the other account can do.

{
  "Id":"allow-1y283839303033x-to-access-my-bucket",
  "Version":"2012-10-17",
  "Statement":[{
    "Action":["s3:ListBucket","s3:GetObject"],
    "Effect":"Allow",
    "Principal":{
      "CanonicalUser":"1y283839303033x"
    },
    "Resource":[
      "arn:aws:s3:::my-secret-bucket",
      "arn:aws:s3:::my-secret-bucket/*"
    ],
    "Sid":"allow-1y283839303033x-to-access-my-bucket"
  }]
}

Multiple Users #

In order to grant access to multiple users, the Principal in the policy has to be adjusted like so:

{
  "Principal": {
    "CanonicalUser":["first-id", "second-id"]
  }
}

Sharing #

Policy #

Multiple Users #