Forum Discussion

PSAmmirata's avatar
PSAmmirata
Employee
5 years ago
Solved

AWS S3 Account "Cross Account IAM" benefit over using resource-based policy?

We operate in an environment where our SnapLogic snaplex is in one AWS account (the trusted AWS account) and our S3 resources are in other AWS accounts (the trusting AWS accounts). In most of our A...
  • kzhou's avatar
    kzhou
    5 years ago

    Hi Paul,
    The cross account IAM role is using a role inside the trusting account to delegate the role or user in trusted account. In this case, trusting role would be granted with all the permissions we want the trusted account to have, and we don’t need to explicitly expose a resource to some external account in the policy.

    Also, the cross-account role is more secure. The way it works is relying on the sts:AssumeRole API, the access it granted to the trusted role is a temporary one. Plus, it can be set with an external ID to provide an extra layer of security. This is especially beneficial for the case where the trusting account and trusted account are from different organizations

    The downside of cross-account role vs resource-based role is that, when we assume the role in the trusting AWS account, we are losing the original permissions we have in our own AWS account (since now we are acting as a role in trusting AWS account)

    As for the case using access-key ID and secret key, the goal of the cross-account effort above is to avoid sharing AWS credentials with different teams or organizations.

    Hope this helps!

kzhou's avatar
kzhou
Former Employee
5 years ago

Hi Paul,
The cross account IAM role is using a role inside the trusting account to delegate the role or user in trusted account. In this case, trusting role would be granted with all the permissions we want the trusted account to have, and we don’t need to explicitly expose a resource to some external account in the policy.

Also, the cross-account role is more secure. The way it works is relying on the sts:AssumeRole API, the access it granted to the trusted role is a temporary one. Plus, it can be set with an external ID to provide an extra layer of security. This is especially beneficial for the case where the trusting account and trusted account are from different organizations

The downside of cross-account role vs resource-based role is that, when we assume the role in the trusting AWS account, we are losing the original permissions we have in our own AWS account (since now we are acting as a role in trusting AWS account)

As for the case using access-key ID and secret key, the goal of the cross-account effort above is to avoid sharing AWS credentials with different teams or organizations.

Hope this helps!