Since IAM is a global service, I am assuming the ARNs of users are also globally visible. By extension, I am also assuming that an IAM or bucket policy in one account can refer to a principal/user in another account. Is it possible, then, to write a policy that denies a user in the current account from copying/writing from an S3 bucket onto another bucket in some other account? i.e. prevent user U in account A from using "aws s3 copy" or such with a target of account B, even though an IAM policy in account B might grant user U such a permission?
Note that user U may either perform an "aws s3 sync" or may user "aws s3 copy" to a local folder; the local folder use case is not in scope for this question.
2 Answers
My understanding is that the regional APIs are only going to check the permissions within the account containing the service object being interacted with. So yeah, I guess you could write a policy denying your user the ability to interact with a bucket in a different AWS account, but those permissions will never be seen when the user makes API calls on that bucket.
Cross-Account Bucket Access is needed to accomplish what you’re inquiring about.
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
Thanks Steven. However, based on what I’ve (just) learnt in this course, it seems that if an IAM policy on a user denies writing to objects in other accounts, then whether or not the regional object (S3 target bucket for exfil in this case) has a related policy shouldn’t matter, isn’t it? Or am I understanding the global nature of IAM incorrectly i.e. is IAM a global service but it’s policies only apply regionally?