I have one AWS S# and Redshift question:

A company uses two AWS accounts for accessing various AWS services. The analytics team has just configured an Amazon S3 bucket in AWS account A for writing data from the Amazon Redshift cluster provisioned in AWS account B. The team has noticed that the files created in the S3 bucket using UNLOAD command from the Redshift cluster are not accessible to the bucket owner user of the AWS account A that created the S3 bucket.

What could be the reason for this denial of permission for resources belonging to the same AWS account?

I tried to reproduce the scenario for the question, but I can't.

I don't get the S3 Object Ownership and Bucket Ownership.

CodePudding user response：

You are not the only person confused by Amazon S3 object ownership. When writing files from one AWS Account to a bucket owned by a different AWS Account, is possible for the 'ownership' of objects to remain with the 'sending' account. This causes all types of problems.

Fortunately, AWS has introduced a new feature into S3 called Edit Object Ownership that overrides all these issues:

By setting "ACLs disabled" for an S3 Bucket, objects will always be owned by the AWS Account that owns the bucket.

So, you should configure this option for the S3 bucket in your AWS account B and it should all work nicely.

CodePudding user response：

The problem is that the bucket owner in account A does not have access to files that were uploaded by the account B, usually that is solved by specifying acl parameter when uploading files --acl bucket-owner-full-control. Since the upload is done via Redshift you need to tell Redshift to assume a role in the account A for UNLOAD command so files don't change the ownership and continue to belong to account A. Check the following page for more examples on configuring cross account LOAD/UNLOAD https://aws.amazon.com/premiumsupport/knowledge-center/redshift-s3-cross-account/