I saw the official documentation https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/ which says to create role in both account and attach! I had another solution which is create an IAM user in account B and grant it only S3 bucket permissions and config the EC2 Instance in Account B with that user. So if i do that will it work? and can the EC2 instance still access the S3 from the its account?

CodePudding user response：

It appears that your situation is:

• Amazon EC2 instance in Account A
• Amazon S3 bucket in Account A (Bucket-A)
• Amazon S3 bucket in Account B (Bucket-B)
• You would like the EC2 instance to be able to access both buckets

You should do the following:

• Create an IAM Role (Role-A) for the Amazon EC2 instance with:
  • Permission to access Bucket-A, and
  • Permission to access Bucket-B
• Add a Bucket policy to Bucket-B that permits access to the bucket from Role-A (This will grant "cross-account access")

That's it! The instance will be able to access Bucket-A due to permissions in the IAM Role, and it will be able to access Bucket-B due to permissions in both the IAM Role and the Bucket Policy.