grafclouds.com / documents / insights / training / devops-challenges / aws-cross-account-s3-kms

Cross-Account S3 Access Still Fails. Just Open It Up?

Advanced ~15 min read
AWSSecurity

Scenario

A partner company needs to read files from one of your S3 buckets from a role in their own AWS account. You did the obvious thing: added a bucket policy allowing their role. They confirmed their IAM permissions look right on their side. And yet every GetObject still comes back AccessDenied. The detail that matters: the bucket's objects are encrypted with a customer-managed KMS key in your account — and that key's policy hasn't been touched. After a few rounds of failed attempts, patience runs out and someone proposes the nuclear option.

The Quick Fix on the Table

Turn off Block Public Access, make the bucket world-readable, and open the KMS key policy to all principals. If nothing can be denied, nothing will be denied — the partner finally gets the data and the ticket closes.

Interview · Round 1

The quick fix is on the table and the room is waiting for your call. Would you sign off on it? Take a position and justify it — out loud or on paper — before revealing the analysis.