1

I'm providing cross-account services to my client, who has their own AWS account. I'd like them to be able to configure any S3 bucket that they own so that any ObjectCreated event is logged to my SQS queue. I'd also like to prevent any other party from writing to my queue, or configuring their buckets to write object notifications to my queue.

So far, I have this permission document. (My accountId: 222222222222, my customer's accountId: 111111111111)

{
  "Sid": "CrossAccountWrite",
  "Effect": "Allow",
  "Principal": {
    "Service": "s3.amazonaws.com"
  },
  "Action": "SQS:SendMessage",
  "Resource": "arn:aws:sqs:us-west-2:222222222222:customer-s3-notifications",
  "Condition": {
    "ArnLike": {
      "aws:SourceArn": "arn:aws:s3:*:*:customer-s3-bucket"
    }
  }
}

This allows one of their buckets to write to my queue; however, I'd like to allow any of their buckets to write to my queue. Normally, I'd just wildcard on an ARN that starts with their customer accountId; however, for whatever reason, S3 buckets don't have a region and don't have an accountId in them. Is there any way for me to do this filtering at the permission level?

Andrew Rueckert
  • 4,858
  • 1
  • 33
  • 44
  • The reason that Amazon S3 bucket ARNs don't include Region or Account ID is that bucket names are unique, so Region and Account ID can be derived from the bucket name. Nonetheless, have you tried `arn:aws:s3:*:111111111111:*`? Did the above policy work correctly for that particular bucket? – John Rotenstein Oct 17 '18 at 00:04
  • 1
    Another option might be to have them create an SNS topic in their account that you subscribe to. That would also allow them to implement multiple subscribers (I'm guessing right now that you, and only you, get the s3:ObjectCreated events from their buckets). – jarmod Oct 17 '18 at 00:30
  • @JohnRotenstein no, `"aws:SourceArn": "arn:aws:s3:*:111111111111:*"` does not work. :( – Andrew Rueckert Oct 17 '18 at 18:40
  • Do you have the cross-account notification working for _any_ configuration (even if it is not optimally configured)? – John Rotenstein Oct 17 '18 at 19:33
  • @JohnRotenstein the configuration posted above works for cross-account notification for only the `customer-s3-bucket` bucket. I can also remove the `Condition` block entirely and allow _any_ S3 bucket to log to my queue (although that's not ideal either.) – Andrew Rueckert Oct 17 '18 at 21:53

0 Answers0