Connect to your AWS account using IAM roles. This gives the appropriate level of access while keeping your AWS account secure.

To grant access to an S3 bucket

Copy details

Copy the Account ID in your text editor, and create an External ID and copy it as well. The External ID can be anything you want, but we recommend a name that includes “”.

Enter the S3 bucket name and, if needed, Prefix where your logs are stored.

Click View and copy role policy. You can review the role policy to confirm the permissions we need. Paste the policy in your text editor.

Keep this information available so you can paste in AWS in step 2.

Create the role

Browse to the IAM roles and click Create role. You’re taken to the Create role wizard.

Create an IAM role for another AWS account

Click Another AWS account.

Paste the Account ID you copied from

Select Require external ID, and then paste the External ID you made in

Click Next: Permissions to continue.

Create the policy

In the Create role screen, click Create policy. The Create policy page loads in a new tab.

In the JSON tab, replace the default JSON with the policy you copied from

Click Review policy to continue.

Give the policy a Name and optional Description, and then click Create policy.

Remember the policy’s name—you’ll need this in the next step.

Close the tab to return to the Create role page.

Attach the policy to the role

Click (refresh), and then type your new policy’s name in the search box.

Find your policy in the filtered list and select its check box.

Click Next: Tags, and then click Next: Review to continue to the Review screen.

Finalize the role

Give the role a Name and optional Description, and then click Create role.

Copy the ARN to

In the IAM roles screen, type your new role’s name in the search box.

Find your role in the filtered list and click it to go to its summary page.

Copy the role ARN (top of the page). In, paste the ARN in the Role ARN field, and then click Save.

To give access to more S3 buckets with the same role and policy, you’ll need to use the same external ID. You can find your role’s external ID under the Trust relationships tab in the role summary page.