         | Did this page help you? Yes No Tell us about it... |
Enabling Cross-Account Access
You can enable trusted entities outside of your AWS account to access certain resources within your AWS account. In addition, when the trusted entity is another AWS account, that account can delegate access to its AWS Identity and Access Management (IAM) users. This process is referred to as cross-account access. Cross-account access enables you to share access to your resources with users under other AWS accounts.
Cross-account access is a two-step process. First you give another AWS account access to specific resources, and then that AWS account delegates access to its users. An AWS account can delegate access only to the extent that it has been granted access. This section links to information about enabling access to particular AWS account resources, and then describes how to use IAM to delegate access to users within an account.
Access to AWS Resources
Certain AWS products enable you to grant access to your AWS resources to trusted entities outside of your AWS account. For example, you can use Amazon S3 ACLs and policies to grant other AWS accounts access to your Amazon S3 buckets.
The following table shows the AWS products that use policies to control access to resources, lists the resources available, and provides links to detailed information about how to use policies with each product.
| AWS product | Resource | Reference |
|---|---|---|
|
Amazon S3 |
buckets |
The policy is attached to the bucket, but the policy controls access to both the bucket and the objects in it; you can use ACLs to control access to individual objects. For more information, go to Access Control in the Amazon Simple Storage Service Developer Guide. |
|
Amazon SNS |
topics |
For more information, go to Appendix: Managing Access to Your Amazon SNS Topics in the Amazon Simple Notification Service Getting Started Guide. |
|
Amazon SQS |
queues |
For more information, go to Appendix: The Access Policy Language in the Amazon Simple Queue Service Developer Guide. |
![[Important]](http://docs.amazonwebservices.com/docs-common/images/important.png) | Important |
|---|---|
Give access only to entities you trust, and give the minimum amount of access necessary. Granting access to an AWS account enables it to delegate access to its users. An AWS account can delegate access only to the extent that it has access. |
Delegating AWS Account Permissions to IAM Users
An AWS account with access to another AWS account's resources can use an IAM policy to delegate access to the users under its account, as described in the following figure and table. (For information about permissions, policies, and the access policy language you use to write policies, see Permissions and Policies.)
 |
Account A gives Account B full access to Account A's Amazon S3 bucket. As a result, Account B can perform any action on Account A's bucket, and Account B can grant access to users under Account B. |
 |
Account B gives User 1 read access to Account A's Amazon S3 bucket. User 1 can view the objects in Account A's bucket. The level of access Account B can delegate is equivalent to, or less than, the access it has. |
 |
Account B does not give access to User 2. Because User 2 has not been granted access to Account A's Amazon S3 bucket by Account B, by default, User 2 cannot access the bucket or the objects in the bucket. |
| Important |
|---|---|
In the preceding example, be aware that if Account B had used wildcards (*) to give a user full access to all its resources, that user would automatically have access to any resources that Account B has access to, including access granted by another account to its own resources. In this case, the user would have access to Account A's resources even though Account B did not specifically apply the permission. Policies are late-binding. This means that IAM evaluates a user's permissions at the time the user makes a request. Therefore, if you use wildcards (*) to give users full access to your resources, users are able to access any resources your AWS account has access to, even resources you add or gain access to after creating the user's policy. |
How to Delegate AWS Account Permissions
To delegate permissions to users under your AWS account, you attach a policy to the user or group that you want to delegate your permissions to. You can delegate permissions equivalent to, or less than, the permissions you have.
For example, if your account has full access to the resources of another AWS account, you can delegate full access, list access, or any other partial access to users under your AWS account. If you have been granted list access only, you can delegate only list access. This means that where you have list access only, but you grant users under your AWS account full access, your users will have list access only. (For information about attaching a policy to a user or group, see Managing IAM Policies.)
Example 1: Use a policy to delegate access to another AWS account's Amazon S3 bucket
In this example, Account A uses a bucket policy to grant Account B full access to Account A's Amazon S3 bucket. Then, Account B creates an IAM user policy to delegate access to Account A's bucket to one of the users under Account B.
Account A's bucket policy might look like the following policy. In this example, Account A's Amazon S3 bucket is named mybucket, and Account B's account number is 1111-2222-3333. Account A uses Amazon S3 to implement this policy.
{
"Statement" : {
"Effect":"Allow",
"Sid":"AccountBAccess1",
"Principal" : {
"AWS":"111122223333"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::mybucket/*"
}
}![[Note]](http://docs.amazonwebservices.com/docs-common/images/note.png) | Note |
|---|---|
Alternatively, Account A could use Amazon S3 Access Control Lists (ACLs) to grant Account B access to an Amazon S3 bucket or a single object within a bucket. In this case, the only thing that would change is how Account A grants access to Account B. Account B would still use a policy to delegate access to a user under Account B, as described in the second part of this example. For more information about controlling access on Amazon S3 buckets and objects, go to Access Control in the Amazon Simple Storage Service Developer Guide. |
The next example shows the IAM user (or group) policy that Account B might create to delegate read access to a user under Account B. In this
policy, the Action element is explicitly defined to allow only List actions, and
the Resource element of this policy matches the Resource
for the bucket policy implemented by Account A.
Account B implements this policy by using IAM to attach it to the appropriate user (or group) under Account B.
{
"Statement":{
"Effect":"Allow",
"Action":"s3:List*",
"Resource":"arn:aws:s3:::mybucket/*"
}
}Example 2: Delegate access to another AWS account's Amazon SQS queue
In this example, Account A has an Amazon SQS queue and Account A uses a queue policy to grant queue access to Account B. Then, Account B uses an IAM user policy to delegate access to a user under Account B.
The following example queue policy gives Account B SendMessage and ReceiveMessage permission for Account A's queue
named 1234-5678-9012/queue1, but only between noon and 3:00 p.m. on November 30, 2011. Account B's account
number is 1111-2222-3333. Account A uses Amazon SQS to implement this policy.
{
"Statement":{
"Effect": "Allow",
"Action": ["sqs:SendMessage","sqs:ReceiveMessage"],
"Principal": {
"AWS": "111122223333"
}
"Resource": "arn:aws:sqs:*:/123456789012:queue1",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2011-11-30T12:00Z"
}
"DateLessThan": {
"aws:CurrentTime": "2011-11-30T15:00Z"
},
},
}
}Account B's policy delegating access to a user under Account B might look like the following example. Account B uses IAM to attach this policy to a user (or group).
{
"Statement":{
"Effect":"Allow",
"Action":"sqs:*",
"Resource":"arn:aws:sqs:*:/123456789012:queue1"
}
}In the preceding IAM user policy example, Account B uses a wildcard to grant its user access to Account A's queue. But,
because Account B can delegate access only to the extent that Account B has been granted access, Account B's user can access the
queue only between noon and 3:00 p.m. on November 30, 2011, and the user can only perform SendMessage
and ReceiveMessage actions, as defined in Account A's Amazon SQS queue policy.
Example 3: Cannot delegate access when the account is denied access
By default, other AWS accounts and their users cannot access your AWS account resources. But, when you use a policy to explicitly deny an AWS account access to your resources, the deny propagates to the users under that account regardless of whether the users have existing policies granting them access. This means that an AWS account cannot delegate access to another account's resources if the other account has explicitly denied access to the user's parent account.
For example, Account A writes a bucket policy on Account A's Amazon S3 bucket that explicitly denies Account B access to Account A's bucket. But Account B writes an IAM user policy that grants a user under Account B access to Account A's bucket. The explicit deny applied to Account A's Amazon S3 bucket propagates to the users under Account B and overrides the IAM user policy granting access to the user under Account B. (For detailed information how permissions are evaluated, see Evaluation Logic.)
Account A's bucket policy might look like the following policy. In this example, Account A's Amazon S3 bucket is named mybucket, and Account B's account number is 1111-2222-3333. Account A uses Amazon S3 to implement this policy.
{
"Statement" : {
"Effect":"Deny",
"Sid":"AccountBDeny",
"Principal" : {
"AWS":"111122223333"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::mybucket/*"
}
}Account B implements the following IAM user policy by using IAM to attach it to the a user under Account B.
{
"Statement":{
"Effect":"Allow",
"Action":"s3:*",
"Resource":"arn:aws:s3:::mybucket/*"
}
}Because Account A's bucket policy explicitly denies Account B access to mybucket, the deny propagates to the user under Account B, and Account B's IAM user policy granting Account B's user access to Account A's bucket has no effect. The user cannot access Account A's bucket.
