AWS S3 Account "Cross Account IAM" benefit over using resource-based policy?

We operate in an environment where our SnapLogic snaplex is in one AWS account (the trusted AWS account) and our S3 resources are in other AWS accounts (the trusting AWS accounts).

In most of our AWS S3 Accounts we have ‘IAM role’ enabled. Prior to the introduction of the “Cross Account IAM” capability we implemented cross account access by adding a resource-based policy (i.e. an S3 bucket policy) that granted access on the bucket to the principal in the trusted AWS Account (where SnapLogic groundplex nodes are). What are the pros and cons of using the “Cross Account IAM” capability which is a role for cross-account access vs using the resource-based policy?

In cases where using access-key ID and secret key, a similar question, Why use the “Cross Account IAM” capability when you could use resource-based policy to grant the access?

Hi Paul,
The cross account IAM role is using a role inside the trusting account to delegate the role or user in trusted account. In this case, trusting role would be granted with all the permissions we want the trusted account to have, and we don’t need to explicitly expose a resource to some external account in the policy.

Also, the cross-account role is more secure. The way it works is relying on the sts:AssumeRole API, the access it granted to the trusted role is a temporary one. Plus, it can be set with an external ID to provide an extra layer of security. This is especially beneficial for the case where the trusting account and trusted account are from different organizations

The downside of cross-account role vs resource-based role is that, when we assume the role in the trusting AWS account, we are losing the original permissions we have in our own AWS account (since now we are acting as a role in trusting AWS account)

As for the case using access-key ID and secret key, the goal of the cross-account effort above is to avoid sharing AWS credentials with different teams or organizations.

Hope this helps!

1 Like