Amazon S3 access points for cross-account integration samples

In this repository, we provide cross-account integration code samples using Access points, a feature provided by Amazon S3.

This repo is organized into following branches:

1. main: It has code samples for AWS CLI and Java application
2. main-emr: It has code sample for an Amazon EMR job.

Figure below represent AWS CLI and Java application

---

Build Instructions

1. The source code has Maven nature, so if you have Maven locally then you can build it using standard Maven commands e.g. mvn -X clean install. or use the options available in your IDE
2. This will generate a jar file called s3-cross-account-access-points-0.1.jar

---

AWS Service Requirements

The following AWS services are required to demo/try this solution.

---

Source Account

1. One S3 Bucket
2. One Bucket Policy
3. Two Access Points
4. One KMS Key to encrypt S3 bucket

---

Target Account

1. One IAM Group
2. One IAM User
3. One IAM Role
4. One EC2 Instance

---

Utility Classes Overview

Class	Overview
PutObject_Demo_UsingIAMRole	Java class to upload an object to S3 - to be executed on an EC2 instance.
PutObject_Demo_StandaloneUser	Java class to upload an object to S3 - to be executed on your Laptop / MacBook.

Deployment Instructions - Account B

1. Login to AWS Console and go to IAM
2. Create an IAM User Group with the following IAM Policies
   • user_group_kms_policy_sample
   • user_group_s3_policy_sample
3. Create an IAM User and add it to the group created in Step # 2
4. Create an IAM Role with two policies as follows:
   • IAM Policy for S3. Use s3_policy_iam_role_ec2_instance as a sample
   • IAM Policy for KMS. Use kms_key_policy as a sample
5. Provision as EC2 Instance with the following settings
   • t2.micro instance should be good enough
   • the IAM Role created in Steps # 4
   • Make sure the security allows inbound access only from your IP address
   • Make a note of the public IP address

Deployment Instructions - Account A (E.g. 2345678901)

1. Logon to AWS Console
2. Go to KMS and create a Customer managed key
   • For Key administrators, add required users / roles in Account A
   • For Key users, add
     • required users / roles in Account A
     • under Other AWS accounts, add id for Account B e.g. arn:aws:iam::1234567890:root
3. Go to S3 and create a bucket
4. Go to Properties, under Default encryption, select AWS-KMS and select the KMS key created in the previous step
5. Create a bucket policy using sample bucket_policy_delegate_permissions_to_access_point
6. Create first access point using sample access_point_for_external_roles_sample
7. Create second access point using samples access_point_for_external_users_sample

Testing Instructions - Account B (E.g. 1234567890)

1. Pre-requisite: AWS CLI v2 is required on your on your Laptop / MacBook

2. Test # 1 - using AWS CLI v2 on your Laptop / MacBook

   aws s3api put-object --bucket arn:aws:s3:us-east-1:2345678901:accesspoint/access-point-external-users --key <Object_Name> --body <Object_Path> --profile default

3. Test # 2 - using EC2 instance

   1. Logon to EC2 Instance using the command below

      ssh -i my_ec2_keypair.pem ec2-user@Public_IP_of_EC2

   2. Install Open JDK v 1.8

   3. Logout from EC2 Instance

   4. Upload Jar file to EC2 instance

      scp -i /Users/<Your_User_Id>/Downloads/my_ec2_keypair.pem s3-cross-account-access-points-0.1.jar ec2-user@<Public_IP_of_EC2>:/home/ec2-user/

   5. Logon to EC2 Instance

   6. Run the Java Program

      java -jar s3-cross-account-access-points-0.1.jar arn:aws:s3:us-east-1:2345678901:accesspoint/access-point-external-roles from_ec2_instance us-east-1

---

Authors

Following people have contributed to this repo.

1. Phanee Gottumukkala, Data & ML Engineer, AWS Professional Services
2. Sunil Penumala, Data Architect, AWS Professional Services
3. Ravi Itha, Sr. Data Architect, AWS Professional Services

---

License Summary

This sample code is made available under the MIT license. See the LICENSE file.