DynamoDB Cross Account Access
Use-Case: EC2 Instance in account A wants to access DynamoDB tables in Account B.
Pre-Requisites
- Account A instances to assume role for DynamoDB access in Account B
Steps
Account A (EC2 Instance): - Create a Role called CrossDDBAccess (or whatever you want to name it)
- IAM Console
- Click on Roles, Create New Role, Name Role
- Select Amazon EC2 Service Role
- Click Next without selecting Permission Policy - Create
Add Role Permission Policy
- Click on Role (takes you to Details page)
- Click on Permissions tab
- Click on Inline Policy
- Click "To create one, click here"
- Click "Select" next to Policy Generator
- Make sure it is set to "Allow"
- Select AWS Security Token Service from Service dropdown menu
- Select the Action "AssumeRole"
- Enter the ARN as * for now, we'll adjust this after the next steps
- Copy the full Role ARN as show on the Details page, you'll need this
Account B (DynamoDB): - Create a Role called CrossActDDBAccess (or again, whatever you want to name it)
- IAM Console
- Click on Roles - Create New Role - Name Role
- Select Role for Cross Account Access
- Select "Provide access between AWS accounts you own"
- Enter the Account B Account Number
- Click Next without selecting Permission Policy - Create
Add Role Permission Policy
- Click on Role (takes you to Details page)
- Click on Permissions tab
- Click on Managed Policies
- Click "Attach Policy"
- In the Search bar type DynamoDB
- Select the Policy named "AmazonDynamoDBReadOnlyAccess" from the options
- Click Attach
Copy the Role ARN from the Details Page (arn:aws:iam::ACCOUNTB:role/CrossActDDBAccess)
Go back to Account A and click on the Role you created, click on Edit Policy on the Inline Policy you created, and replace Resource "*" with the ARN from Account B.
Resources
- https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html#walkthru_cross-account-with-roles-1
- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/authentication-and-access-control.html#access-control
- https://aws.amazon.com/blogs/security/delegating-api-access-to-aws-services-using-iam-roles/