アカウントBのEC2にIAMRole+VPCEndpoint構成でアカウントAのS3利用

実現させていこと

アカウントAのS3バケットに対して、アカウントBのEC2からアクセスしたい。

構成

準備中

アカウントAのS3バケット

例）
arn:aws:s3:::crossaccount-bucket

アカウントBのIAMロール

例）
arn:aws:iam::012345678912:role/my-ec2-put-s3-crossaccount-bucket-role

アカウントBのEC2

アカウントBのIAMロールを関連付け

アカウントBのVPCにVPC Endpoint

EndpointのタイプはGatewayで、対象サービスはとりあえずS3とする。

Policyの作成

アクセス制御はPolicyで実現させてみる。

アカウントBのIAM Role信頼関係

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

アカウントBのIAM Policy

アカウントBのIAMロールにアクセス権限のポリシーをアタッチする。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::crossaccount-bucket/*",
                "arn:aws:s3:::crossaccount-bucket"
            ]
        }
    ]
}

アカウントBのVPC Endpoint Policy

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::crossaccount-bucket/*",
                "arn:aws:s3:::crossaccount-bucket"
            ],
            "Condition": {
                "ArnEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::012345678912:role/my-ec2-put-s3-crossaccount-bucket-role"
                }
            }
        }
    ]
}

アカウントAのS3バケット Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::012345678912:role/my-ec2-put-s3-crossaccount-bucket-role"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::crossaccount-bucket/for_uplad/*",
                "arn:aws:s3:::crossaccount-bucket/for_uplad"
            ]
        },
        {
            "Sid": "Statement2",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::012345678912:role/my-ec2-put-s3-crossaccount-bucket-role"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::crossaccount-bucket/for_dowmload/*",
                "arn:aws:s3:::crossaccount-bucket/for_dowmload"
            ]
        },
        {
            "Sid": "Statement3",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::012345678912:role/my-ec2-put-s3-crossaccount-bucket-role"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::crossaccount-bucket/deny_put/*",
                "arn:aws:s3:::crossaccount-bucket/deny_put"
            ]
        },
        {
            "Sid": "Statement4",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::012345678912:role/my-ec2-put-s3-crossaccount-bucket-role"
            },
            "Action": "s3:DeleteObject",
            "Resource": [
                "arn:aws:s3:::crossaccount-bucket/deny_delete/*",
                "arn:aws:s3:::crossaccount-bucket/deny_delete"
            ]
        },
        {
            "Sid": "Statement5",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::012345678912:role/my-ec2-put-s3-crossaccount-bucket-role"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::crossaccount-bucket/deny_get/*",
                "arn:aws:s3:::crossaccount-bucket/deny_get"
            ]
        }
    ]
}