Skip to content

Latest commit

 

History

History
129 lines (87 loc) · 5.19 KB

File metadata and controls

129 lines (87 loc) · 5.19 KB

Amazon S3 access points for cross-account integration samples

In this repository, we provide cross-account integration code samples using Access points, a feature provided by Amazon S3.

This repo is organized into following branches:

  1. main: It has code samples for AWS CLI and Java application
  2. main-emr: It has code sample for an Amazon EMR job.

Figure below represent AWS CLI and Java application

Alt


Build Instructions

  1. The source code has Maven nature, so if you have Maven locally then you can build it using standard Maven commands e.g. mvn -X clean install. or use the options available in your IDE
  2. This will generate a jar file called s3-cross-account-access-points-0.1.jar

AWS Service Requirements

The following AWS services are required to demo/try this solution.


Source Account

  1. One S3 Bucket
  2. One Bucket Policy
  3. Two Access Points
  4. One KMS Key to encrypt S3 bucket

Target Account

  1. One IAM Group
  2. One IAM User
  3. One IAM Role
  4. One EC2 Instance

Utility Classes Overview

Class Overview
PutObject_Demo_UsingIAMRole Java class to upload an object to S3 - to be executed on an EC2 instance.
PutObject_Demo_StandaloneUser Java class to upload an object to S3 - to be executed on your Laptop / MacBook.

Deployment Instructions - Account B

  1. Login to AWS Console and go to IAM
  2. Create an IAM User Group with the following IAM Policies
  3. Create an IAM User and add it to the group created in Step # 2
  4. Create an IAM Role with two policies as follows:
  5. Provision as EC2 Instance with the following settings
    • t2.micro instance should be good enough
    • the IAM Role created in Steps # 4
    • Make sure the security allows inbound access only from your IP address
    • Make a note of the public IP address

Deployment Instructions - Account A (E.g. 2345678901)

  1. Logon to AWS Console
  2. Go to KMS and create a Customer managed key
    • For Key administrators, add required users / roles in Account A
    • For Key users, add
      • required users / roles in Account A
      • under Other AWS accounts, add id for Account B e.g. arn:aws:iam::1234567890:root
  3. Go to S3 and create a bucket
  4. Go to Properties, under Default encryption, select AWS-KMS and select the KMS key created in the previous step
  5. Create a bucket policy using sample bucket_policy_delegate_permissions_to_access_point
  6. Create first access point using sample access_point_for_external_roles_sample
  7. Create second access point using samples access_point_for_external_users_sample

Testing Instructions - Account B (E.g. 1234567890)

  1. Pre-requisite: AWS CLI v2 is required on your on your Laptop / MacBook

  2. Test # 1 - using AWS CLI v2 on your Laptop / MacBook

    aws s3api put-object --bucket arn:aws:s3:us-east-1:2345678901:accesspoint/access-point-external-users --key <Object_Name> --body <Object_Path> --profile default
  3. Test # 2 - using EC2 instance

    1. Logon to EC2 Instance using the command below

      ssh -i my_ec2_keypair.pem ec2-user@Public_IP_of_EC2

    2. Install Open JDK v 1.8

    3. Logout from EC2 Instance

    4. Upload Jar file to EC2 instance

      scp -i /Users/<Your_User_Id>/Downloads/my_ec2_keypair.pem s3-cross-account-access-points-0.1.jar ec2-user@<Public_IP_of_EC2>:/home/ec2-user/
    5. Logon to EC2 Instance

    6. Run the Java Program

      java -jar s3-cross-account-access-points-0.1.jar arn:aws:s3:us-east-1:2345678901:accesspoint/access-point-external-roles from_ec2_instance us-east-1

Authors

Following people have contributed to this repo.

  1. Phanee Gottumukkala, Data & ML Engineer, AWS Professional Services
  2. Sunil Penumala, Data Architect, AWS Professional Services
  3. Ravi Itha, Sr. Data Architect, AWS Professional Services

License Summary

This sample code is made available under the MIT license. See the LICENSE file.