Error: AmazonS3Exception “Access Denied with Status Code: 403” in Amazon Athena when I query a bucket in another account

asethi93

Asis Sethi

Posted on January 16, 2021

Error: AmazonS3Exception “Access Denied with Status Code: 403” in Amazon Athena when I query a bucket in another account

Assumptions:

  1. Account A (S3 Bucket )
  2. Account B (Athena query)

Let's start with Account A:

  1. Locate the S3 Bucket Object Permissions Tab
  2. Either edit ACL of the S3 Bucket Object or add a Bucket policy
  3. Under ACL add External AWS Account Canonical ID
  4. Edit Bucket policy by Using Policy Generator [https://awspolicygen.s3.amazonaws.com/policygen.html]
{
 “Version”: “2012–10–17”,
 “Id”: “Policy1604525342797”,
 “Statement”: [
 {
 “Sid”: “Cross-Account-Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: [
 “arn:aws:iam::xaccountbxx:root”,
 “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 ]
 },
 “Action”: “s3:*”,
 “Resource”: “arn:aws:s3:::analytics-cross-account-s3access”
 },
 {
 “Sid”: “Cross-Account-Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: [
 “arn:aws:iam::xaccountbxx:root”,
 “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 ]
 },
 “Action”: “s3:GetObject”,
 “Resource”: “arn:aws:s3:::analytics-cross-account-s3access/*”
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode
  1. If KMS is Enabled on S3 Bucket, Add Key policy to Customer managed key
{
 “Version”: “2012–10–17”,
 “Id”: “key-default-1”,
 “Statement”: [
 {
 “Sid”: “Enable IAM User Permissions”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::xaccountaxx:root”
 },
 “Action”: “kms:*”,
 “Resource”: “*”
 },
 {
 “Sid”: “Allow use of the key”,
 “Effect”: “Allow”,
 “Principal”: {
 “AWS”: “arn:aws:iam::xaccountbxx:user/cross-account-access-user”
 },
 “Action”: [
 “kms:Encrypt”,
 “kms:Decrypt”,
 “kms:ReEncrypt*”,
 “kms:GenerateDataKey*”,
 “kms:DescribeKey”
 ],
 “Resource”: “*”
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

Let’s start with Account B:

  1. Attach below Policy to IAM User in Account B
{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “VisualEditor0”,
 “Effect”: “Allow”,
 “Action”: [
 “s3:GetAccessPoint”,
 “s3:PutAccountPublicAccessBlock”,
 “s3:GetAccountPublicAccessBlock”,
 “s3:ListAllMyBuckets”,
 “s3:ListAccessPoints”,
 “s3:ListJobs”,
 “s3:CreateJob”
 ],
 “Resource”: “*”
 },
 {
 “Sid”: “VisualEditor1”,
 “Effect”: “Allow”,
 “Action”: “s3:*”,
 “Resource”: [
 “arn:aws:s3:::analytics-cross-account-s3access”,
 “arn:aws:s3:::analytics-cross-account-s3access/*”
 ]
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

2.If KMS is enabled attach another inline policy

{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “VisualEditor0”,
 “Effect”: “Allow”,
 “Action”: [
 “kms:DescribeCustomKeyStores”,
 “kms:ListKeys”,
 “kms:DeleteCustomKeyStore”,
 “kms:GenerateRandom”,
 “kms:UpdateCustomKeyStore”,
 “kms:ListAliases”,
 “kms:DisconnectCustomKeyStore”,
 “kms:CreateKey”,
 “kms:ConnectCustomKeyStore”,
 “kms:CreateCustomKeyStore”
 ],
 “Resource”: “*”
 },
 {
 “Sid”: “VisualEditor1”,
 “Effect”: “Allow”,
 “Action”: “kms:*”,
 “Resource”: “arn:aws:kms:ca-central-1:xaccountbxx:key/4bb–452e-8885”
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode
💖 💪 🙅 🚩
asethi93
Asis Sethi

Posted on January 16, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related