You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use
separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS
account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for
administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev
and Test accounts.
Identify which option will allow you to achieve this goal.
Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev
and Test accounts that grant the Master account access to the resources in the account by inheriting
permissions from the Master account.
Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the
Dev and Test accounts.
Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have
full Admin permissions and grant the Master account access.
Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to
resources in the Dev and Test accounts
Bucket Owner Granting Cross-account Permission to objects It Does Not Own
In this example scenario, you own a bucket and you have enabled other AWS accounts to upload objects. That
is, your bucket can have objects that other AWS accounts own.
Now, suppose as a bucket owner, you need to grant cross-account permission on objects, regardless of who
the owner is, to a user in another account. For example, that user could be a billing application that needs to
access object metadata. There are two core issues:
The bucket owner has no permissions on those objects created by other AWS accounts. So for the bucket
owner to grant permissions on objects it does not own, the object owner, the AWS account that created the
objects, must first grant permission to the bucket owner. The bucket owner can then delegate those
Bucket owner account can delegate permissions to users in its own account but it cannot delegate permissions
to other AWS accounts, because cross-account delegation is not supported.
In this scenario, the bucket owner can create an AWS Identity and Access Management (IAM) role with
permission to access objects, and grant another AWS account permission to assume the role temporarily
enabling it to access objects in the bucket.
Background: Cross-Account Permissions and Using IAM Roles
IAM roles enable several scenarios to delegate access to your resources, and cross-account access is one of
the key scenarios. In this example, the bucket owner, Account A, uses an IAM role to temporarily delegate
object access cross-account to users in another AWS account, Account C. Each IAM role you create has two
policies attached to it:
A trust policy identifying another AWS account that can assume the role.
An access policy defining what permissions—for example, s3:GetObject—are allowed when someone assumes
the role. For a list of permissions you can specify in a policy, see Specifying Permissions in a Policy.
The AWS account identified in the trust policy then grants its user permission to assume the role. The user can
then do the following to access objects:
Assume the role and, in response, get temporary security credentials.
Using the temporary security credentials, access the objects in the bucket.
For more information about IAM roles, go to Roles (Delegation and Federation) in IAM User Guide.
The following is a summary of the walkthrough steps:Account A administrator user attaches a bucket policy granting Account B conditional permission to upload
Account A administrator creates an IAM role, establishing trust with Account C, so users in that account can
access Account A. The access policy attached to the role limits what user in Account C can do when the user
accesses Account A.
Account B administrator uploads an object to the bucket owned by Account A, granting full-control permission
to the bucket owner.
Account C administrator creates a user and attaches a user policy that allows the user to assume the role.
User in Account C first assumes the role, which returns the user temporary security credentials. Using those
temporary credentials, the user then accesses objects in the bucket.
For this example, you need three accounts. The following table shows how we refer to these accounts and the
administrator users in these accounts. Per IAM guidelines (see About Using an Administrator User to Create
Resources and Grant Permissions) we do not use the account root credentials in this walkthrough. Instead, you
create an administrator user in each account and use those credentials in creating resources and granting them