Error: AmazonS3Exception “Access Denied with Status Code: 403” in Amazon Athena when I query a bucket in another account
Asis Sethi
Posted on January 16, 2021
Assumptions:
- Account A (S3 Bucket )
- Account B (Athena query)
Let's start with Account A:
- Locate the S3 Bucket Object Permissions Tab
- Either edit ACL of the S3 Bucket Object or add a Bucket policy
- Under ACL add External AWS Account Canonical ID
- Edit Bucket policy by Using Policy Generator [https://awspolicygen.s3.amazonaws.com/policygen.html]
{
“Version”: “2012–10–17”,
“Id”: “Policy1604525342797”,
“Statement”: [
{
“Sid”: “Cross-Account-Permissions”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::xaccountbxx:root”,
“arn:aws:iam::xaccountbxx:user/cross-account-access-user”
]
},
“Action”: “s3:*”,
“Resource”: “arn:aws:s3:::analytics-cross-account-s3access”
},
{
“Sid”: “Cross-Account-Permissions”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::xaccountbxx:root”,
“arn:aws:iam::xaccountbxx:user/cross-account-access-user”
]
},
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::analytics-cross-account-s3access/*”
}
]
}
- If KMS is Enabled on S3 Bucket, Add Key policy to Customer managed key
{
“Version”: “2012–10–17”,
“Id”: “key-default-1”,
“Statement”: [
{
“Sid”: “Enable IAM User Permissions”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::xaccountaxx:root”
},
“Action”: “kms:*”,
“Resource”: “*”
},
{
“Sid”: “Allow use of the key”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
},
“Action”: [
“kms:Encrypt”,
“kms:Decrypt”,
“kms:ReEncrypt*”,
“kms:GenerateDataKey*”,
“kms:DescribeKey”
],
“Resource”: “*”
}
]
}
Let’s start with Account B:
- Attach below Policy to IAM User in Account B
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“s3:GetAccessPoint”,
“s3:PutAccountPublicAccessBlock”,
“s3:GetAccountPublicAccessBlock”,
“s3:ListAllMyBuckets”,
“s3:ListAccessPoints”,
“s3:ListJobs”,
“s3:CreateJob”
],
“Resource”: “*”
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: “s3:*”,
“Resource”: [
“arn:aws:s3:::analytics-cross-account-s3access”,
“arn:aws:s3:::analytics-cross-account-s3access/*”
]
}
]
}
2.If KMS is enabled attach another inline policy
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“kms:DescribeCustomKeyStores”,
“kms:ListKeys”,
“kms:DeleteCustomKeyStore”,
“kms:GenerateRandom”,
“kms:UpdateCustomKeyStore”,
“kms:ListAliases”,
“kms:DisconnectCustomKeyStore”,
“kms:CreateKey”,
“kms:ConnectCustomKeyStore”,
“kms:CreateCustomKeyStore”
],
“Resource”: “*”
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: “kms:*”,
“Resource”: “arn:aws:kms:ca-central-1:xaccountbxx:key/4bb–452e-8885”
}
]
}
💖 💪 🙅 🚩
Asis Sethi
Posted on January 16, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.