Sharing #
For auditing purposes, you need to grant another account read access to the bucket named “my-secret-bucket” as well as all the files it contains.
At first, you need the account’s ID you want to grant read access to your bucket. This account ID is a string of alphanumeric characters and not the access key or secret access key. For example, similar to the one we’ll use in the example below: 1y283839303033x
.
Policy #
In order to grant that account read access, the following policy must be used. Take a look at the Action
and Effect
contained in the policy as they have an impact on what the other account can do.
{
"Id":"allow-1y283839303033x-to-access-my-bucket",
"Version":"2012-10-17",
"Statement":[{
"Action":["s3:ListBucket","s3:GetObject"],
"Effect":"Allow",
"Principal":{
"CanonicalUser":"1y283839303033x"
},
"Resource":[
"arn:aws:s3:::my-secret-bucket",
"arn:aws:s3:::my-secret-bucket/*"
],
"Sid":"allow-1y283839303033x-to-access-my-bucket"
}]
}
Multiple Users #
In order to grant access to multiple users, the Principal
in the policy has to be adjusted like so:
{
"Principal": {
"CanonicalUser":["first-id", "second-id"]
}
}