2 Answers
My understanding is that the regional APIs are only going to check the permissions within the account containing the service object being interacted with. So yeah, I guess you could write a policy denying your user the ability to interact with a bucket in a different AWS account, but those permissions will never be seen when the user makes API calls on that bucket.
Cross-Account Bucket Access is needed to accomplish what you’re inquiring about.
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
Thanks Steven. However, based on what I’ve (just) learnt in this course, it seems that if an IAM policy on a user denies writing to objects in other accounts, then whether or not the regional object (S3 target bucket for exfil in this case) has a related policy shouldn’t matter, isn’t it? Or am I understanding the global nature of IAM incorrectly i.e. is IAM a global service but it’s policies only apply regionally?