Firehose Streaming data to Cross account S3 bucket – (Firehose+S3+IAM)

Scenario:

Create a Firehose delivery stream from account - A  &  configured to write data in to B account's S3 bucket.
Account-A – 1111111111
  • Firehose Name - cross-s3-firehose
  • IAM role - firehoseIAMrole
  • IAM Policy - firehose-s3-policy
Account-B – 222222222
  • S3 Bucket Name - cross-bucket0001

Step:1 Create IAM Policy for Firehose in Account -A ( 1111111111)

Create new custom policy “firehose-s3-policy
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "",
 "Effect": "Allow",
 "Action": [
 "s3:AbortMultipartUpload",
 "s3:GetBucketLocation",
 "s3:GetObject",
 "s3:ListBucket",
 "s3:ListBucketMultipartUploads",
 "s3:PutObject"
 ],
 "Resource": [
 "arn:aws:s3:::crosbucket0001/*",
 "arn:aws:s3:::crosbucket0001"
 ]
 }
 ]
 }
Step:2 Create IAM Role  in Account -A ( 1111111111)  & attach the newly created policy:
1. AWS Console --> IAM --> Create Role "firehoseIAMrole" --> Select "Role Type" as "Role for Cross-Account Access" ->Provide access between AWS accounts you own --> Enter Account-B's account ID "222222222"
2.  Attach the newly created IAM policy "firehose-s3-policy" to this role.
AWS Console --> IAM --> Select the IAM role "firehoseIAMrol" --> Permission --> Attach Policy --> Select "firehose-s3-policy" and attach.
3. Update "Trust Relationship" in IAM role.
AWS Console --> IAM --> Select the IAM role "firehoseIAMrol" --> TrustRelationship --> Edit Trust Relationship & replace the lines with following
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "",
 "Effect": "Allow",
 "Principal": {
 "Service": "firehose.amazonaws.com"
 },
 "Action": "sts:AssumeRole"
 }
 ]
 }

Step:3 Create S3 bucket in Account-B  (222222222)

Using CLI – 

$ aws s3api create-bucket --bucket crosbucket0001--region us-east-1

or  in AWS console as below…

Login to AWS Console --> Services --> S3 --> Create Bucket -->  Provide Bucket Name and Region

Step:4  Add a Bucket Policy & permission for the newly created S3 bucket in Account-B 

1 .Login to AWS Console --> Services --> S3 --> Select your bucket "crosbucket0001" --> Properties --> Permissions --> Add More permissions & Grantee " Any Authenticated AWS User" and select all actions.
2. Login to AWS Console --> Services --> S3 --> Select your bucket "crosbucket0001" --> Properties --> click "Edit Bucket Policy " & add the following:
{
 "Version": "2012-10-17",
 "Id": "Policy1477124394246",
 "Statement": [
 {
 "Sid": "Stmt1477124352226",
 "Effect": "Allow",
 "Principal": {
 "AWS": "arn:aws:iam::1111111111:role/firehoseIAMrole"
 },
 "Action": "s3:*",
 "Resource": "arn:aws:s3:::crosbucket0001/*"
 }
 ]
 }

Ref: 

How to create  “AWS Kinesis-Firehose delivery steam to S3 bucket  (stream TCPdump logs from EC2 )”

 http://www.mylinuxguru.com/?p=637 

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>