Would it make sense to provide cross-account access to the S3-bucket using a bucket-policy instead of providing a role that the external account have to assume? This is how the KMS-key is shared, i.e. via a resource policy.
Your call. Either will work. The bucket policy is arguably easier on the users from the other account as they don’t need to adopt a role, but they will still need to be able to authenticate to the S3 service in the bucket’s home AWS account.
I agree with Steven that bucket policies are easier to use. AWS mentions this on a dedicated IAM documentation page .
@Mattias: I can imagine one situation in which you might not want to add statements into bucket policies. It would be in the case that your bucket policy reaches the 20kb limit and you want to add additional principals for cross-account-access. You could then "complement" your resource-based policy using an IAM role with IAM policies. I understand that this scenario is highly theoretical though. Actually, AWS always depicts the other direction, where IAM policies reach size limits (because they are smaller) and users should switch to bucket policies.