Since IAM is a global service, I am assuming the ARNs of users are also globally visible. By extension, I am also assuming that an IAM or bucket policy in one account can refer to a principal/user in another account. Is it possible, then, to write a policy that denies a user in the current account from copying/writing from an S3 bucket onto another bucket in some other account? i.e. prevent user U in account A from using "aws s3 copy" or such with a target of account B, even though an IAM policy in account B might grant user U such a permission?
Note that user U may either perform an "aws s3 sync" or may user "aws s3 copy" to a local folder; the local folder use case is not in scope for this question.
My understanding is that the regional APIs are only going to check the permissions within the account containing the service object being interacted with. So yeah, I guess you could write a policy denying your user the ability to interact with a bucket in a different AWS account, but those permissions will never be seen when the user makes API calls on that bucket.
Cross-Account Bucket Access is needed to accomplish what you’re inquiring about.
Thanks Steven. However, based on what I’ve (just) learnt in this course, it seems that if an IAM policy on a user denies writing to objects in other accounts, then whether or not the regional object (S3 target bucket for exfil in this case) has a related policy shouldn’t matter, isn’t it? Or am I understanding the global nature of IAM incorrectly i.e. is IAM a global service but it’s policies only apply regionally?